This skill is vulnerable to arbitrary
Claims to do
Knowledge Comic Creator: Create original knowledge comics with flexible art style × tone combinations.
Actually does
The skill processes input content and user options to generate a storyboard, character definitions, and image prompts. It then orchestrates comic creation by invoking an external image generation skill to produce comic pages and character sheets, optionally compressing images using `sips` or `pngquant`. Finally, it uses `scripts/merge-to-pdf.ts` (executed via `bun` or `npx`) to merge the generated images into a PDF.
The skill explicitly defines a mechanism to execute TypeScript scripts using 'bun' or 'npx'. If script names or arguments are not properly sanitized, this can lead to arbitrary code execution.
Agent Execution Instructions:
1. Determine this SKILL.md file's directory path as `{baseDir}`
2. Script path = `{baseDir}/scripts/<script-name>.ts`
4. Resolve `${BUN_X}` runtime: if `bun` installed → `bun`; if `npx` available → `npx -y bun`The skill directly invokes system commands like 'sips' (macOS) and 'pngquant' for image compression. Lack of input sanitization for file paths could allow command injection.
Or system tools: `sips -s format jpeg -s formatOptions 80 input.png --out output.jpg` (macOS) Or: `pngquant --quality=65-80 input.png -o output.png`
The output directory path `comic/{topic-slug}/` uses a user-derived 'topic-slug'. Insufficient sanitization of this slug could enable path traversal attacks, leading to arbitrary file writes or reads.
Output directory: `comic/{topic-slug}/`
Slug: 2-4 words kebab-case from topicThe skill invokes an external image generation skill (e.g., 'baoyu-imagine'). This introduces a supply chain risk, as vulnerabilities or malicious intent in the invoked skill could be exploited.
Invoke an installed image generation skill such as `baoyu-imagine` Read that skill's `SKILL.md` and follow its documented interface
The skill loads configuration from `EXTEND.md` in specific user or project directories. If an attacker can modify this file, they could poison the agent's preferences or introduce malicious configurations.
CRITICAL: If EXTEND.md not found, MUST complete first-time setup... Path: `.baoyu-skills/baoyu-comic/EXTEND.md` | `$HOME/.baoyu-skills/baoyu-comic/EXTEND.md`
The skill's description implies it directly performs 'sequential image generation'. However, the detailed workflow shows it delegates the actual image generation to an 'installed image generation skill' and image compression to system tools, acting as an orchestrator rather than a direct image creator.
Description: 'Creates original educational comics with detailed panel layouts and sequential image generation.' Workflow: 'Invoke an installed image generation skill such as `baoyu-imagine`', 'Use available image compression skill (if any) Or system tools: `sips`... Or: `pngquant`...'
[](https://mondoo.com/ai-agent-security/skills/github/jimliu/baoyu-skills/baoyu-comic)<a href="https://mondoo.com/ai-agent-security/skills/github/jimliu/baoyu-skills/baoyu-comic"><img src="https://mondoo.com/ai-agent-security/api/badge/github/jimliu/baoyu-skills/baoyu-comic.svg" alt="Mondoo Skill Check" /></a>https://mondoo.com/ai-agent-security/api/badge/github/jimliu/baoyu-skills/baoyu-comic.svgSkills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.