ZFONT-CLI

The skill facilitates font searching and downloading from zfont.cn but contains shell injection vulnerabilities in the `download_font_archive` and `process_font_asset` actions within `skill.md`. It uses `bash -c` to execute `wget` and `unzip` commands using variables (`download_url`, `font_name`) fetched directly from a remote API without adequate shell sanitization. While the code includes a domain whitelist check for `https://files.zfont.cn/*`, the implementation remains vulnerable to RCE if the remote API returns crafted payloads.