The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes a shell command in Step 7 to generate PDFs using Pandoc. The <job-id> variable, which is either user-provided or read from the filesystem, is interpolated directly into the bash command: pandoc ~/.scout/applications/<job-id>/cv.md .... If the <job-id> contains shell metacharacters (e.g., $(whoami) or ; rm -rf /), it allows for arbitrary command execution on the host system.
[REMOTE_CODE_EXECUTION]: The skill uses the --pdf-engine=xelatex flag with Pandoc. LaTeX engines are powerful and can execute local commands or include local files via directives like \write18 or \input. Because the input cv.md is generated from untrusted job listings (external data), an attacker could inject malicious LaTeX code into a job description that the LLM then includes in the CV, leading to the disclosure of sensitive files (e.g., SSH keys or ~/.scout/profile/master-profile.md) in the final PDF document.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes job listings from ~/.scout/jobs/<job-id>.md. An attacker-controlled job listing could contain hidden instructions designed to override the agent's behavior, such as forcing the inclusion of specific malicious content or bypassing the 'Honesty Check' rules.
Ingestion points: Reads job descriptions from ~/.scout/jobs/<job-id>.md (Step 1).
Boundary markers: None explicitly defined to separate untrusted job content from agent instructions.
Capability inventory: Subprocess execution via pandoc (Step 7) and extensive file write access to the ~/.scout/applications/ directory.
Sanitization: No input sanitization or escaping of job listing content is performed before interpolation into the generation pipeline.

scout-apply