The Agent Skills Directory

[COMMAND_EXECUTION]: The orchestration workflow defined in SKILL.md contains multiple instances where user-supplied input or derived content is directly interpolated into shell commands. Specifically, variables like $USER_PROMPT, $EXPANDED_PROMPT, and $STRUCTURED_CONTENT are used in operations such as python ... --user-prompt "$USER_PROMPT" and echo "$EXPANDED_PROMPT" > "$TEMP_DIR/expanded-prompt.txt". An attacker can exploit this by including shell metacharacters (e.g., ;, &, |, or backticks) in their request to execute arbitrary system commands on the host environment.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its complex multi-stage processing of untrusted user input. The user_prompt is passed through evaluation, analysis, and expansion phases using LLM tools. The system prompt for the expansion phase (references/prompts-expand-system.md) lacks robust boundary markers or specific instructions to treat user content as data only, making it possible for a maliciously crafted prompt to override the skill's instructions and influence the final image generation or the agent's behavior.

sn-infographic