The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted user-uploaded manuscripts (PDF, DOCX, LaTeX, Markdown). A malicious document could contain hidden instructions designed to manipulate the agent's review verdict or exfiltrate context.
Ingestion points: Uploaded manuscripts are processed in Workflow Step 1.
Boundary markers: The instructions do not define clear delimiters or specific instructions to disregard potentially malicious commands embedded within the manuscripts.
Capability inventory: The agent reads files, processes their content, and generates a structured report, which could be used as an exfiltration or manipulation vector.
Sanitization: There is no specific sanitization or filtering logic for embedded prompt injection patterns.
[COMMAND_EXECUTION]: In Pass 12 (Rendered Document Inspection), the instructions tell the agent to 'compile' LaTeX source if a PDF is not provided. Compiling LaTeX is a form of dynamic code execution that can be exploited (e.g., via the \write18 command) to run arbitrary system commands if the compilation environment is not strictly sandboxed.
[EXTERNAL_DOWNLOADS]: The skill references an external resource located at ../humanize/references/detection-patterns.md. This represents a dependency on a file path outside the skill's own directory structure, which could lead to unexpected behavior if the external file is modified or absent.

manuscript-review