The Agent Skills Directory

[CREDENTIALS_UNSAFE] (HIGH): The file SKILL.md contains a hardcoded Gemini API key: AIzaSyDvvGGRbH4Os3Er0dYi0kE_AzE3_2b_Az8. Hardcoding sensitive credentials allows anyone with access to the skill code to impersonate the author and consume their API quota.
[COMMAND_EXECUTION] (HIGH): The skill instructs the agent to execute a Python script (scripts/generate_image.py) via the shell using arguments (--prompt and --output) that are dynamically constructed from the title and content of a user-provided article without any sanitization.
Evidence: SKILL.md Phase 2 section instructs the agent to run a python3 command where the --output path and --prompt string include components like 主题名 (Theme Name) and 段落名 (Paragraph Name) extracted directly from the article Markdown.
Risk: A malicious user could provide an article with a title like $(touch /tmp/exploit) or ../../../../etc/passwd to perform command injection or path traversal.
[PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted external Markdown data to drive its core logic and command parameters.
Ingestion points: The entire Markdown body of the article provided by the user (as described in SKILL.md Phase 1).
Boundary markers: Absent. There are no instructions to the agent to distinguish between its own system instructions and the content of the article being processed.
Capability inventory: Shell command execution via subprocess (calling python3 scripts/generate_image.py) and file system write operations within the script.
Sanitization: Absent. There is no logic provided to escape shell characters or validate that the generated file paths stay within the intended Obsidian directory.

article-batch-illustration