The Agent Skills Directory

[PROMPT_INJECTION]: The skill processes untrusted content from user-uploaded documents (PDF, DOCX, MD, TXT), creating a surface for indirect prompt injection. Maliciously crafted content within these documents could attempt to influence the LLM during the digest generation or affect downstream presentation stages.
Ingestion points: User-uploaded files are parsed by scripts/parse_user_docs.py, and the resulting text is passed to the LLM via prompts/document_digest.md.
Boundary markers: The prompt in prompts/document_digest.md lacks explicit delimiters or instructions for the LLM to ignore embedded commands within the interpolated document text.
Capability inventory: The skill is capable of directory creation (mkdir), file writing (task_pack.json, info_pack.json), executing Python scripts, and dispatching to other skills (sn-ppt-creative, sn-ppt-standard).
Sanitization: The parsing script performs text truncation to 20,000 characters but does not implement filtering or sanitization for prompt injection patterns.
[COMMAND_EXECUTION]: The skill employs dynamic library loading and executes shell commands that rely on environment variables for path resolution.
Evidence: In SKILL.md, a python3 -c command dynamically modifies sys.path using the $PPT_STANDARD_DIR environment variable to import a local module.
Evidence: The scripts/caption_images.py script similarly uses sys.path.insert to load the model_client dependency from a path computed via the $PPT_STANDARD_DIR variable. This pattern of dynamic loading from computed paths is a medium-risk behavior as it could lead to the execution of unintended code if environment variables point to untrusted locations.

sn-ppt-entry