The Agent Skills Directory

EXTERNAL_DOWNLOADS (MEDIUM): The file references/MCP_SETUP.md instructs the user or agent to install and execute code from untrusted GitHub repositories (blazickjp/arxiv-mcp-server, grll/pubmedmcp, 54yyyu/zotero-mcp) using the uvx command. These repositories are not part of the trusted organizations list and represent unverifiable external dependencies.
COMMAND_EXECUTION (LOW): The skill is granted Bash access. While intended for local file operations and research tasks (e.g., using curl to interact with a local Zotero API as mentioned in references/MCP_SETUP.md), this provides a powerful execution environment that could be exploited.
PROMPT_INJECTION (LOW): The skill is highly susceptible to Indirect Prompt Injection (Category 8) due to the nature of its workflow.
Ingestion points: External content is ingested through mcp__arxiv-mcp-server__read_paper, mcp__pubmed-mcp-server__pubmed_search_articles, WebFetch, and WebSearch (as detailed in references/WORKFLOW.md).
Boundary markers: Absent. There are no instructions or delimiters provided to ensure the agent ignores malicious instructions embedded within the medical papers it reads.
Capability inventory: The agent has access to Bash, Write, Edit, and Task tools.
Sanitization: Absent. The skill processes external text directly into manuscript drafts without filtering or validation.
DATA_EXFILTRATION (LOW): The skill documentation in references/TEMPLATES.md and references/MCP_SETUP.md describes accessing a local Zotero database which requires USER_ID and API keys. If an attacker-controlled research paper successfully executes an indirect prompt injection, it could potentially use the Bash tool to exfiltrate these local credentials or library data via WebFetch or curl.

medical-imaging-review