The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) as it downloads and processes LaTeX source files from external sources. (1) Ingestion points: Downloads paper source archives from arxiv.org, extracting and reading .tex files. (2) Boundary markers: Absent; the agent is instructed to read the full text without delimiters or warnings to ignore embedded instructions. (3) Capability inventory: The skill can execute shell commands (curl, tar, mkdir, ls) and perform file-write operations on bibliography files. (4) Sanitization: No content filtering or validation is performed on the downloaded LaTeX files.
[COMMAND_EXECUTION]: The skill executes several shell commands to manage files and network requests. Evidence: Use of mkdir, tar -xzf for archive extraction, and curl for API interactions and data retrieval.
[EXTERNAL_DOWNLOADS]: Fetches data and archives from well-known scientific services. Evidence: Downloads paper sources from arxiv.org and queries citation metadata from api.adsabs.harvard.edu.
[CREDENTIALS_UNSAFE]: The skill instructs the agent to display the value of a sensitive environment variable. Evidence: The use of 'echo $ADS_API_TOKEN' to verify setup causes the authentication secret to be printed in the agent's output logs.

managing-bibliography