The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/render-mv.sh attempts to automatically install system packages (e.g., fonts-noto-cjk, google-noto-sans-cjk-fonts) using apt-get, apk, or dnf. It explicitly attempts to use sudo to acquire root privileges if standard installation fails, which constitutes unauthorized privilege escalation on the host system.
[COMMAND_EXECUTION]: The scripts/render.mjs file uses child_process.execSync to construct and execute shell commands for video rendering. It interpolates variables like output, browserExe, and chromeMode into a command string. While it attempts to use double quotes, it does not escape the contents, making it vulnerable to command injection if an attacker provides a path or filename containing shell metacharacters (e.g., "; touch /tmp/pwned #).
[COMMAND_EXECUTION]: The scripts/render-mv.sh script executes ffprobe and ffmpeg using variables like AUDIO and OUTPUT directly in shell contexts. These variables are derived from user-supplied CLI arguments and are not sanitized, allowing for potential shell injection via maliciously crafted file paths.
[EXTERNAL_DOWNLOADS]: The skill downloads the chrome-headless-shell binary from Google servers if no local browser is detected. While the source (Google) is well-known, the skill documentation warns that this download happens automatically at runtime, which may be unexpected in restricted environments.

acestep-simplemv