The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): Instructions in INSTALLATION_GUIDE.md and OPENROUTER_INTEGRATION.md direct users to append environment variables to shell configuration files (~/.bashrc, ~/.zshrc) using echo commands. This constitutes a persistence mechanism that modifies the user's shell environment.
REMOTE_CODE_EXECUTION (MEDIUM): The skill supports a plugin architecture through the enable_plugins parameter in MarkItDown and utility scripts like batch_convert.py. The documentation (api_reference.md) encourages users to search GitHub for third-party plugins, creating a risk for supply chain attacks through unverified code execution.
PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection through document processing. 1. Ingestion points: Untrusted content from PDFs, transcripts, and HTML is ingested via md.convert() in batch_convert.py, convert_with_ai.py, and convert_literature.py. 2. Boundary markers: The scripts wrap output in Markdown frontmatter but do not include explicit 'ignore embedded instruction' warnings for the downstream LLM. 3. Capability inventory: convert_with_ai.py sends extracted content to an LLM for analysis and description generation. 4. Sanitization: No sanitization or filtering of instruction-like strings is performed on the ingested content.
EXTERNAL_DOWNLOADS (LOW): The skill requires downloading packages from PyPI and supports cloning from GitHub. Per [TRUST-SCOPE-RULE], these are downgraded to LOW severity as they target verified Microsoft and OpenRouter repositories.

markitdown