The Agent Skills Directory

[External Downloads] (LOW): The documentation for the converter agent (references/agents/converter.agent.md) recommends running a Docker container using the vvakame/review image to build PDFs. This introduces a dependency on an external, third-party container image not included in the trusted source list.
[Command Execution] (LOW): Several agents, including @writing and @converter, are explicitly granted permission to execute terminal commands. These permissions are used for legitimate tasks like running character count scripts and Git operations, but they extend the agent's capability into the local shell environment.
[Indirect Prompt Injection] (LOW): The skill exhibits an indirect prompt injection surface (Category 8) where user-provided metadata is interpolated into system instructions.
Ingestion points: The setup_workspace.py script takes --title and --name arguments from the user to populate templates.
Boundary markers: Generated files such as .github/copilot-instructions.md do not use delimiters or instructions to ignore embedded commands within the interpolated title or project name.
Capability inventory: The workspace includes agents with permissions to edit files in the 02_contents/ and 03_re-view_output/ directories and execute terminal commands.
Sanitization: Input strings are placed directly into template files without validation or escaping, allowing for potential manipulation of agent instructions if a malicious title is provided.
[Dynamic Execution] (LOW): The setup_workspace.py script dynamically generates the project structure and populates instruction files. While this is a standard scaffolding practice, it is the mechanism through which the indirect prompt injection surface is created.

book-writing-workspace