The Agent Skills Directory

[COMMAND_EXECUTION]: Command injection vulnerability in the internal script runner.
The runPythonScript function in presentation.ts constructs shell commands using string interpolation of arguments: `python3 ${script} ${args.map(a => `"${a}"`).join(" ")}`.
The implementation fails to sanitize or escape double quotes within the arguments, allowing an attacker to break out of the quoting and execute arbitrary shell commands on the host machine.
[DATA_EXFILTRATION]: Path traversal vulnerability in the on-demand viewer server.
The doServe function in presentation.ts extracts a relative file path from the URL and joins it with the presentation directory using join(presDir, rest) without validation or normalization.
An attacker can exploit this by crafting a URL containing directory traversal sequences (e.g., ../../../../etc/passwd) to read sensitive files outside the intended directories.
Additionally, the server listens on 0.0.0.0 (all interfaces), potentially exposing these local files to the network.
[PROMPT_INJECTION]: Indirect prompt injection surface through dynamic HTML rendering.
Ingestion points: The create_slide command takes raw HTML content and writes it to the local filesystem via presentation.ts.
Boundary markers: None. User-provided HTML is directly embedded into a slide template.
Capability inventory: The skill uses playwright (via convert_pdf.py, convert_pptx.py, and validate_slide.py) to render these slides. The renderer runs with the --no-sandbox flag and handles file:// URLs.
Sanitization: None. This environment creates a risk where malicious HTML could execute scripts in the headless browser to access local resources or manipulate the agent's context.

presentations