The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The script paper_daemon.py invokes the claude CLI using the --dangerously-skip-permissions flag. This flag suppresses interactive security confirmations for the sub-agent. Since the skill is designed to fetch and process untrusted external content from academic papers (arXiv, project pages, GitHub), this configuration allows a malicious paper to potentially execute arbitrary commands or access local files via indirect prompt injection without user oversight.
[COMMAND_EXECUTION]: The skill frequently employs subprocess.run and shell instructions to execute local Python scripts, Git commands, and binary utilities like pdfimages. This includes automated git commit and git push operations on the user's Obsidian vault.
[DATA_EXFILTRATION]: While primary use is internal data management, assets/zotero_helper.py and assets/reorganize_notes.py perform direct INSERT and DELETE operations on the user's Zotero SQLite database. This exposes the research database to potential data corruption or unauthorized modification if the agent's logic is subverted by malicious input.
[INDIRECT_PROMPT_INJECTION]:
Ingestion points: Processes untrusted data from arXiv HTML/PDF, project websites, and GitHub through WebFetch and WebSearch tools.
Boundary markers: No specific delimiters or safety instructions are used to separate paper content from agent commands during processing.
Capability inventory: The agent has the ability to write to the local file system, modify the Zotero database, and execute shell commands.
Sanitization: No sanitization is performed on ingested paper text before it is passed to the sub-agent for analysis, relying entirely on the sub-agent's internal safeguards which are partially disabled by CLI flags.

paper-reader