The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its ingestion of external metadata. Repository names and descriptions fetched from the GitHub Search API are concatenated directly into the prompt for the 'Prepare Agent' (Step 4) without sanitization or clear boundary markers. This could allow an attacker controlling a repository to influence the agent's reasoning or subsequent selection process.
[PROMPT_INJECTION]: Mandatory Evidence Chain (Category 8): Ingestion points include the instance.json file and repository descriptions from the GitHub Search API; boundary markers are absent as content is interpolated directly into instructions; capability inventory includes write_file (for persisting logs and papers), github_search (network access), and download_arxiv_source_by_title (network access and archive extraction); sanitization is absent for the concatenated strings used in the agent queries.
[EXTERNAL_DOWNLOADS]: The skill performs automated network requests to fetch data from well-known services, specifically the GitHub Search API and arXiv. These operations are consistent with the skill's primary research and data processing purpose.
[COMMAND_EXECUTION]: The skill performs dynamic loading of 'metaprompt modules' based on the category input parameter (Step 3). Loading or importing modules via paths determined at runtime based on external input represents a potential risk of unauthorized code execution if the input is not strictly validated against a known-safe list.

inno-prepare-resources