The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill downloads generated image assets from hosted media providers. Evidence: scripts/generate_image.mjs, scripts/edit_image.mjs, and scripts/poll_prediction.mjs use the downloadFile utility from scripts/_shared.mjs to fetch images from remote URLs. Additionally, the shared utility _postplus_shared/00-core/shared-runtime/scripts/download_videos_from_manifest_with_ytdlp.mjs is designed to download video content from URLs provided in a manifest file.- [COMMAND_EXECUTION]: The skill includes a shared utility for video acquisition that uses a subprocess. Evidence: _postplus_shared/00-core/shared-runtime/scripts/download_videos_from_manifest_with_ytdlp.mjs uses node:child_process.spawn to execute python3 -m yt_dlp. The arguments are passed as an array, preventing shell injection.- [DATA_EXPOSURE]: The skill accesses vendor-specific configuration to authenticate cloud requests. Evidence: _postplus_shared/00-core/shared-runtime/scripts/lib/postplus_cli_config.mjs reads the cliSessionToken from the vendor's configuration directory (e.g., ~/.config/postplus/config.json). This is standard behavior for a vendor-integrated CLI tool and is used exclusively for requests to the author's own infrastructure.- [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection as it processes externally supplied prompts and URLs. Evidence: scripts/generate_image.mjs and scripts/edit_image.mjs interpolate prompts from request.json files into cloud API calls. download_videos_from_manifest_with_ytdlp.mjs processes URLs from a manifest file. These inputs are used within the scope of intended tool functionality and do not bypass safety controls.

image-batch-runner