The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes the Bash tool to programmatically create a directory tree based on discipline and direction names retrieved from the internet. If the retrieved names are manipulated by an attacker (e.g., through SEO poisoning of academic sites), they could contain shell metacharacters intended to execute unauthorized commands. This occurs in Phase 3 where variables like {direction_en} are used in Bash commands.
[PROMPT_INJECTION]: As an indirect prompt injection surface, the skill ingests content from external websites and uses it to construct instructions for sub-agents in Phase 2 and Phase 4. This data influences the sub-agents' behavior and the resulting file content.
Ingestion points: Discipline categorization and book list data fetched from the web in SKILL.md.
Boundary markers: Missing. External data is placed directly into variables within sub-agent templates without delimiters.
Capability inventory: Bash (folder creation), Write (file writing), and WebSearch/WebFetch.
Sanitization: Absent. The skill does not filter or escape the content retrieved from educational or industry websites before processing it through subsequent LLM steps.
[EXTERNAL_DOWNLOADS]: Extensive use of WebSearch and WebFetch tools to gather data from the public internet across multiple phases. While this is the intended functionality, it serves as the primary entry point for untrusted data that the agent treats as authoritative.

field-books-survey