The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill instructs users to clone a repository from an untrusted GitHub account (nexu-io/open-design) and references external skill components from other unknown repositories (e.g., op7418/guizang-ppt-skill).
[COMMAND_EXECUTION]: The installation and execution process involves running pnpm install and pnpm tools-dev on the local machine. This starts a background daemon that manages local file operations, executes coding agent binaries, and listens on a local port with configuration that allows any domain to interact with it.
[PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection attacks.
Ingestion points: Untrusted content enters the agent's context through user messages in the client.chat interface and via the importClaudeDesign service which processes external ZIP files.
Boundary markers: There are no documented boundary markers or instructions to isolate or ignore malicious commands that might be embedded in imported design artifacts or user prompts.
Capability inventory: The environment allows for significant local capabilities including executing subprocesses (agent CLIs), writing to the local workspace, and performing network requests for media generation.
Sanitization: The analysis did not find evidence of sanitization or validation of inputs from external ZIP files or user-provided messages before they are processed by the design engine.

open-design-ai-prototyping