The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides bash code snippets in SKILL.md (Step 3) for the agent to execute. These snippets use curl to send data to an API, interpolating variables like ${PROMPT} (which contains user-provided book titles and author names) directly into a shell string. Without proper sanitization or escaping of these inputs, special characters could be used to break out of the JSON structure or the shell command itself, leading to arbitrary command execution on the host system.
[EXTERNAL_DOWNLOADS]: The skill is designed to perform network requests to an external API (defaulting to api.openai.com) using curl. It also allows the user to override the GPT_IMAGE_BASE_URL via environment variables. This capability could be leveraged to redirect sensitive data, such as the GPT_IMAGE_API_KEY and prompt content, to an untrusted external server.
[PROMPT_INJECTION]: The skill processes untrusted user input (book titles, author names, and descriptions) and interpolates them into instructions for an image generation model. This creates a surface for indirect prompt injection where a user could provide a title designed to override the agent's formatting instructions or influence the model's behavior beyond the intended scope.
Ingestion points: Ingests '书名' (Book Title) and '作者名' (Author Name) from the user in SKILL.md (Step 1).
Boundary markers: None; the input is directly placed inside a multi-layered template (prompt string → JSON body → shell command).
Capability inventory: Performs network requests via curl and file system operations via mkdir, jq, and base64 in SKILL.md (Step 3).
Sanitization: No instructions or mechanisms are provided to validate or escape user input before it is used in executable commands.

story-cover