The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The scripts/generate_pdf.py script passes user-provided file paths directly to subprocess.run when calling pandoc. Evidence: The variables markdown_file, output_pdf, and template are appended to the command list without validation or sanitization. While os.path.exists is checked for some inputs, an attacker can create files with names that act as command flags (e.g., --lua-filter=exploit.lua) to execute arbitrary code through Pandoc's filtering system.
[EXTERNAL_DOWNLOADS] (SAFE): The scripts/verify_citations.py script performs network operations to fetch metadata. Details: It communicates with doi.org and api.crossref.org using the requests library. These are reputable sources necessary for the skill's intended functionality.
[PROMPT_INJECTION] (LOW): The skill ingests untrusted data from external APIs and JSON files and interpolates it into markdown output without sanitization, exposing it to indirect prompt injection. Ingestion points: scripts/search_databases.py (JSON file input) and scripts/verify_citations.py (CrossRef API response). Boundary markers: No delimiters or warnings are used in the generated markdown output to separate untrusted content from instructions. Capability inventory: The skill possesses the ability to execute shell commands (via pandoc) and perform network requests. Sanitization: None detected; fields such as titles and abstracts are used directly.

literature-review