The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted user-supplied data (image descriptions and prompts) and passes them directly to the generate_image tool without sanitization.
Ingestion points: User-provided strings for the prompt parameter and iterative edit descriptions in SKILL.md.
Boundary markers: Absent; there are no instructions to delimit or ignore instructions within the user-provided prompt data.
Capability inventory: The skill uses the generate_image tool, which can read from and write to the local media directory.
Sanitization: None; the agent is instructed to write prompts with detail based on user input and call the tool directly.
[COMMAND_EXECUTION]: The documentation and examples suggest the use of local filesystem paths (e.g., /home/user/.nanobot/media/generated/...) for tracking and editing image artifacts. An attacker could attempt path traversal by providing a malicious file path instead of a valid image artifact path to the reference_images parameter.
[CREDENTIALS_UNSAFE]: The skill documentation includes examples of provider configurations for OpenRouter and AIHubMix that involve API keys. While it uses placeholders like sk-or-... and sk-... and correctly advises against asking users for keys in chat, it defines a standard pattern for credential management that could lead to exposure if configuration files are mishandled.

image-generation