The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from external academic papers and web pages.
Ingestion points: Untrusted data enters the agent context through WebFetch of arXiv HTML and project pages, as well as Read operations on PDF files and Zotero database entries.
Boundary markers: The prompt construction in paper_daemon.py lacks explicit delimiters or instructions to ignore embedded commands within the interpolated paper metadata.
Capability inventory: The skill possesses extensive capabilities across its scripts, including Bash (command execution), Write/Edit (file system modification), WebFetch/WebSearch (network access), and automated Git operations.
Sanitization: No explicit sanitization or filtering is performed on paper titles or content before they are interpolated into the system prompts.
[COMMAND_EXECUTION]: The paper_daemon.py script uses subprocess.run to execute the claude CLI and other system tools like cp. While it avoids using shell=True, it interpolates external data (like paper titles) into the command arguments, which represents a potential attack surface if the CLI tool itself is vulnerable to specific argument patterns.
[EXTERNAL_DOWNLOADS]: The skill frequently performs network operations to fetch paper content and images from academic sources (e.g., arxiv.org). While these are well-known academic services, the automated nature of the downloads could be leveraged to interact with malicious URLs if they are embedded in paper metadata.

paper-reader