The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill fetches paper metadata, PDF files, and images from well-known scholarly services including arxiv.org and huggingface.co. These downloads are used for the skill's primary function of academic paper tracking and visualization.\n- [COMMAND_EXECUTION]: The skill uses asyncio.create_subprocess_exec and subprocess_shell to execute system utilities such as curl, pdftotext, and pdfimages. Input parameters, such as arXiv IDs, are strictly validated using regular expressions (\\d{4}\\.\\d{4,5}) to prevent command injection. The automated scan findings regarding piping to Python refer to the internal processing of PDF data through a local script, which does not involve executing remote code.\n- [PROMPT_INJECTION]: The skill ingests untrusted text from paper abstracts and titles. While this creates a surface for indirect prompt injection, the risk is mitigated by the structured extraction of data and the absence of high-privilege operations being performed on the processed text. This behavior is consistent with the skill's primary purpose.\n- [SAFE]: The skill implements several defensive measures, including verifying file magic bytes to ensure downloaded content matches expected image formats and using non-shell subprocess calls where possible to minimize injection risks.

daily-papers