The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill processes untrusted user input (paper titles and abstracts) which is passed to internal scripts and eventually interpreted by the agent. This represents an indirect prompt injection surface.
Ingestion points: Untrusted data enters the context through scripts/abs_journal.py via the --title and --abstract CLI arguments.
Boundary markers: No explicit delimiters or guardrail instructions are used when interpolating this data into script arguments or final reports.
Capability inventory: The skill uses subprocess.run across multiple scripts (abs_journal.py, hybrid_report.py) and involves AI-driven selection logic, creating a path for malicious content to influence agent decisions.
Sanitization: No sanitization or content validation is performed on the input strings before they are processed by the recommendation engine.
Command Execution (LOW): The skill relies on executing local Python scripts and standard shell commands to manage its workflow.
Evidence: scripts/abs_journal.py uses subprocess.run to orchestrate other implementation scripts. The openspec management sub-skills (e.g., in .opencode/skills/) use commands like mkdir -p and mv to manage the project structure.
Context: These operations are well-defined and strictly associated with the skill's primary purpose of data management and report generation.
Credentials Handling (SAFE): The system correctly avoids hardcoded secrets.
Evidence: scripts/ajg_fetch.py and documentation explicitly require credentials (AJG_EMAIL, AJG_PASSWORD) to be provided via environment variables, adhering to security best practices for AI agent skills.

abs-journal