The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted data from external .pen files and directs the agent to visually analyze the resulting screenshots. Malicious instructions embedded within the design files or rendered images could be interpreted by the agent during the analysis phase.
Ingestion points: The filePath parameter in SKILL.md enables the agent to load data from external files on the system into the tool.
Boundary markers: Absent; the instructions do not provide delimiters or specific guidance for the agent to disregard content found within the processed files.
Capability inventory: The skill calls the get_screenshot tool and requires the agent to visually "look" at the output to verify design elements like alignment and spacing.
Sanitization: Absent; no validation or filtering of the file content is performed before the agent processes and analyzes the visual output.
[PROMPT_INJECTION]: The instructions employ authoritative language and "CRITICAL" labels (e.g., "You must ONLY use this skill when the user EXPLICITLY mentions 'Pencil'") to constrain agent behavior. Although these resemble prompt injection patterns, they are used here as a defensive measure to ensure the tool is only activated in the correct context and to minimize the risk of accidental tool triggering.

pencil-mcp-get-screenshot