The Agent Skills Directory

[COMMAND_EXECUTION]: The workflow defined in SKILL.md (Step 4) instructs the agent to execute a shell command that interpolates a JSON object containing user-controlled input into a subshell: bash scripts/imagegen.sh --prompt-file <(echo '<assembled_json>'). This pattern is vulnerable to shell injection if the user input contains single quotes or other shell metacharacters that escape the intended string literal during interpolation.- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface (Category 8) as it processes untrusted user descriptions and integrates them into complex prompts for an AI-powered execution tool (Codex).
Ingestion points: Untrusted data enters the agent context via user-provided product descriptions and scene details processed in SKILL.md.
Boundary markers: The skill uses structured JSON templates in references/templates/ for data organization, but it lacks explicit 'ignore embedded instructions' markers or delimiters to protect against malicious directives hidden in user input.
Capability inventory: The skill has authorized access to the Bash and Read tools, enabling shell execution, local file system manipulation (e.g., rm -rf in Step 5), and network access via curl in the generation script.
Sanitization: The wrapper script scripts/imagegen.sh demonstrates high security maturity by using jq to safely encode JSON payloads for HTTP requests. However, the recommended CLI workflow in SKILL.md lacks equivalent escaping for direct shell interpolation.

ecom-image2