The Agent Skills Directory

[PROMPT_INJECTION]: The skill has a vulnerability surface for indirect prompt injection as it extracts and processes text from untrusted images and PDFs. 1. Ingestion points: Data enters the agent context via the --file-url and --file-path parameters as described in SKILL.md. 2. Boundary markers: There are no explicit delimiters or instructions to ignore embedded commands in the extracted text. 3. Capability inventory: The skill has the ability to execute shell commands via scripts/ocr_caller.py and scripts/configure.py. 4. Sanitization: No sanitization or validation of the OCR results is mentioned before the data is returned to the agent's context.
[COMMAND_EXECUTION]: The skill's usage instructions direct the agent to construct shell commands using user-provided inputs, such as URLs or file paths. This creates a potential command injection surface if the inputs are not properly sanitized before execution. Specifically, SKILL.md illustrates executing python scripts/ocr_caller.py --file-url "URL provided by user" and python scripts/ocr_caller.py --file-path "file path", where the quotes might be insufficient to prevent shell escaping or command chaining in certain environments.

ppocrv5