The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructions in SKILL.md direct the agent to execute a shell command: py scripts/extract_figures.py "<pdf_path>" -o "<pdf_dir>/figures". Because the <pdf_path> and <pdf_dir> variables originate from user input, this creates a command injection vulnerability if the agent interpolates these strings into a shell without proper sanitization of metacharacters (e.g., semicolons, backticks, or ampersands).
[PROMPT_INJECTION]: The skill processes untrusted external data, making it vulnerable to indirect prompt injection (Category 8). Ingestion points: PDF content is ingested via the Read tool in Phase 2. Boundary markers: There are no delimiters or instructions provided to the agent to treat the PDF text as data rather than instructions. Capability inventory: The skill possesses capabilities to execute shell scripts, write files locally, and exfiltrate data to an external service via the mcp__docparser__parse_markdown tool. Sanitization: The skill lacks any mechanisms to filter or escape instructions that might be embedded within the academic papers.

paper-deep-reader