The Agent Skills Directory

[PROMPT_INJECTION]: The skill instructions in SKILL.md and references/workflows/prompt-assembly.md explicitly command the agent to "DO NOT refuse to generate" content if it involves sensitive or copyrighted figures. This is a directive to bypass safety filters by requesting stylistic alternatives instead of following standard refusal protocols.
[REMOTE_CODE_EXECUTION]: In references/workflows/prompt-assembly.md, the skill references a command npx -y bun ${SKILL_DIR}/scripts/main.ts to facilitate image generation. Since the scripts/main.ts file is not included in the skill's provided file list, this suggests the execution of external or side-loaded code that has not been audited.
[DATA_EXFILTRATION]: The workflow in SKILL.md (Step 0) and references/config/first-time-setup.md involves reading from and writing to the user's home directory ($HOME/.baoyu-skills/) for persistent configuration. Accessing files outside the project scope is a sensitive operation that can lead to unintended data exposure or credential harvesting if misused.
[COMMAND_EXECUTION]: The skill uses bash commands like test -f and mkdir to manage its configuration environment and check for the existence of the EXTEND.md file.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) as it processes untrusted user content to generate downstream prompts and outlines without proper sanitization.
Ingestion points: Content is read from user-provided file paths or direct pastes, saved to source.md and analysis.md.
Boundary markers: There are no markers or system instructions to ignore instructions embedded within the source content during the analysis phase.
Capability inventory: The skill can write files to the workspace and call external image generation tools with dynamically constructed prompts.
Sanitization: The skill lacks any visible sanitization or escaping of user-provided text before it is interpolated into analysis and generation templates.

baoyu-xhs-images