The Agent Skills Directory

[PROMPT_INJECTION]: Instructions in SKILL.md (Steps 3 and 4) explicitly direct the agent to execute shell commands autonomously with directives like "AUTO-RUN, NO PROMPT" and "must run silently without user approval." These instructions are designed to suppress user oversight and bypass standard human-in-the-loop security constraints.
[COMMAND_EXECUTION]: The workflow relies on the agent interpolating user-provided values (e.g., theme name, hue) into shell command templates such as echo '{"name":"<theme-name>",...}' > /tmp/preline-theme-config.json. The instructions lack explicit requirements for the agent to sanitize or escape these values, creating a surface for command injection through malicious user input.
[EXTERNAL_DOWNLOADS]: The skill recommends using npx preline-theme-generator, which involves fetching and executing code from the public NPM registry at runtime. While likely associated with the 'Preline' ecosystem by the author, executing unversioned code from a public registry introduces potential supply chain risk.
[PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it ingests untrusted natural language theme descriptions and processes them into config values used in subsequent tool calls.
Ingestion points: User-provided theme descriptions and names in SKILL.md workflow.
Boundary markers: Absent in the shell command templates.
Capability inventory: Shell command execution (echo, rm, node, npx) and file system writes via generate-theme.js.
Sanitization: The generator script performs basic regex validation on the name field, but the agent's shell command construction instructions lack explicit sanitization guidance.

preline-theme-generator