The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The push command documentation recommends Git remote URL formats that include authentication tokens in plain text (e.g., https://<user>:<token>@github.com/...). This results in sensitive tokens being stored in the local .git/config file, where they are vulnerable to exposure or theft by other processes or users accessing the repository.
[COMMAND_EXECUTION]: The skill performs automated execution of shell commands, including pdflatex, bibtex, and git. Running a LaTeX compiler on arbitrary user-supplied LaTeX files is a high-risk operation; LaTeX's complexity and features such as shell-escape (\write18) can be exploited to perform unauthorized file system access or execute arbitrary commands in the host environment.
[DATA_EXFILTRATION]: The skill includes a push command that transmits the project's source code and configuration to a user-provided remote_url. This functionality can be abused to exfiltrate sensitive intellectual property, research data, or credentials if the destination is directed to an attacker-controlled endpoint.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via the processing of untrusted LaTeX files. (1) Ingestion points: The structure command in SKILL.md processes external <tex_file> content. (2) Boundary markers: There are no delimiters or instructions to ignore embedded commands within the LaTeX source. (3) Capability inventory: The skill has the ability to read/write files and execute shell commands (pdflatex, git). (4) Sanitization: No validation or sanitization of the LaTeX source is performed, allowing malicious instructions within the document to potentially manipulate the agent's critique and verification logic.

latex-project-manager