The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted user content from articles to generate image prompts, which is an inherent attack surface for indirect prompt injection attacks where malicious instructions hidden in text could influence agent behavior.
Ingestion points: Article content read from user-specified file paths or pasted text in SKILL.md and workflow.md.
Boundary markers: The prompt templates in prompt-construction.md provide structure but do not use specific security delimiters (like XML tags or triple quotes) to isolate user data.
Capability inventory: The skill can read local files, write to the file system (prompts, outlines, images), and invoke external image generation skills.
Sanitization: No explicit sanitization or filtering of the input article text is documented before it is used to populate prompt fields.
[PROMPT_INJECTION]: The system prompt in prompts/system.md contains an instruction to not refuse generation if safety filters are triggered by sensitive or copyrighted content, instead suggesting stylistic alternatives. While this is a common instruction for creative tools to avoid failure, it represents a minor attempt to steer the model's safety behavior.
[COMMAND_EXECUTION]: The skill uses basic shell commands (test, echo) to verify the existence of configuration files (EXTEND.md) and handle file paths. These commands are benign and restricted to file system checks.

baoyu-article-illustrator