The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill frequently spawns subprocesses to execute external tools including xelatex, bibtex, soffice, and pdftoppm. These calls are found in scripts/run_ai_optimizer.py, scripts/benchmark.sh, and tests/v202601052142/run_test.sh. While project paths are validated to stay within PROJECTS_ROOT, the execution of a LaTeX compiler on AI-modified source code is inherently risky.
[REMOTE_CODE_EXECUTION] (HIGH): The skill's 'AI Optimizer' (scripts/core/ai_optimizer.py) implements a feedback loop where an AI reasoner suggests modifications to LaTeX configuration files (@config.tex). If a malicious PDF or Word document is provided as a benchmark, it could manipulate the AI's reasoning (Indirect Prompt Injection) to inject malicious LaTeX commands. Because LaTeX compilers often support features like shell-escape (\write18), this can lead to arbitrary command execution on the host system.
[DATA_EXPOSURE] (MEDIUM): The skill accesses files within the projects/ directory, specifically targeting @config.tex and main.tex. Although there is no evidence of active exfiltration, the capability to read and process local project files in conjunction with potential command execution increases the risk of sensitive data exposure if compromised.
[INDIRECT_PROMPT_INJECTION] (HIGH): There is a clear mandatory evidence chain for Category 8: 1. Ingestion points: analyze_pdf.py (PDF via PyMuPDF) and heading_validator.py (Word via python-docx). 2. Boundary markers: The skill lacks formal boundary markers to prevent embedded instructions in PDFs from influencing the 'DecisionReasoner'. 3. Capability inventory: Subprocess execution of LaTeX compilers and file write access to .tex files. 4. Sanitization: latex_format_parser.py performs text cleaning, but the optimization logic specifically aims to align LaTeX content with external benchmark text, facilitating the transfer of malicious payloads.

make_latex_model