The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is vulnerable to indirect prompt injection via the --promptfiles argument, which allows reading content from local files. This untrusted data is interpolated into prompts sent to external AI APIs without sanitization or boundary markers.\n- Ingestion points: File content read via --promptfiles, reference images via --ref, and configuration overrides via EXTEND.md.\n- Boundary markers: None present; content is likely processed as raw prompt text.\n- Capability inventory: Network access (OpenAI/Google APIs) and file system write access (--image output).\n- Sanitization: No sanitization of ingested file content is mentioned.\n- [Command Execution] (MEDIUM): The skill executes local TypeScript scripts using npx -y bun. While Bun is a legitimate runtime, using npx with the -y flag on potentially untrusted or dynamic paths can lead to unintended command execution if the environment is not strictly controlled.\n- [External Downloads] (LOW): The use of npx -y may trigger automatic downloads of packages from the npm registry if the runtime or dependencies are not cached, representing an external dependency risk.\n- [Data Exposure] (MEDIUM): The skill loads sensitive configuration files and environment variables from the user's home directory (~/.content-gen-skills/). This allows a local attacker with limited privileges to poison the skill's behavior or intercept API keys by placing malicious files in the home directory.

image-gen