The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted data from user-provided HTML and CSS snapshots. Ingestion points: The skill reads and parses HTML files and their companion asset folders (e.g., _files/*.css) provided by the user in the source-pages/ directory. Boundary markers: There are no explicit instructions or markers to distinguish between system instructions and data found within the snapshots, nor instructions to ignore embedded commands. Capability inventory: The agent executes shell commands (find, grep, cat, curl) and performs file system operations (read/write in .design-soul/ and nextjs-project/). Sanitization: The logic focuses on extracting CSS values and does not mention sanitizing the content for potential malicious instructions embedded in comments or metadata.
[COMMAND_EXECUTION]: The orchestrator and sub-agents use shell commands for file discovery and content analysis. Evidence: Commands such as find, grep, ls, and wc are used in SKILL.md and references/foundations-agent.md. Specifically, the pattern cat $(find ...) is used to aggregate CSS files, which can be sensitive to filenames containing shell metacharacters in a non-sanitized environment.
[EXTERNAL_DOWNLOADS]: The skill automatically downloads external assets discovered during the parsing phase. Evidence: In references/foundations-agent.md, Step 11 instructs the agent to extract external URLs from HTML and CSS and use curl -sL to download fonts, images, and icons into the local assets/ directory. These URLs are untrusted as they originate from the user-provided snapshots.

snapshot-to-nextjs