The Agent Skills Directory

Data Exposure & Exfiltration (HIGH): The SKILL.md file contains a shell command that attempts to read a specific local file at /Users/lingzhi/Code/keys.md to extract an API key. This pattern targets a specific user directory to access sensitive credentials, which is a significant security risk for data exposure.
Command Execution (HIGH): The shell scripts in SKILL.md interpolate the $ARGUMENTS (user query) directly into bash commands using the QUERY placeholder inside double quotes. This is highly vulnerable to command injection; a malicious query containing shell metacharacters like ;, `, or $() could allow an attacker to execute arbitrary commands on the host system.
Indirect Prompt Injection (LOW): The skill processes untrusted data from multiple academic APIs and downloads source .tex files from arXiv. Malicious instructions could be embedded in paper titles, abstracts, or source code to influence the agent's behavior during subsequent processing steps.
Ingestion points: scripts/search_openalex.py (OpenAlex API), scripts/download_arxiv_source.py (arXiv source files), and scripts/search_crossref.py (CrossRef API).
Boundary markers: Absent. The skill does not provide instructions to the agent to treat paper content as untrusted data.
Capability inventory: Extensive subprocess execution in SKILL.md, disk write operations in all scripts, and outbound network requests to academic repositories.
Sanitization: The scripts perform basic filename sanitization using regex, but they do not sanitize or escape the content of the academic records or LaTeX source files before they are presented to the agent context.

literature-search