The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection. It processes untrusted data from multiple external sources including PDFs (via pdf_reader.py), web search results (via scholar_search.py), and remote Git repositories (via /article-writer:add-code). There are no defined boundary markers or sanitization procedures described in the skill metadata. Given the agent's capability to execute shell commands and write to files, a malicious actor could embed instructions in a research paper or code repository that the agent would then execute with its local permissions.
[REMOTE_CODE_EXECUTION] (HIGH): The command /article-writer:add-code downloads code from arbitrary URLs. Cloned repositories can contain malicious hooks or scripts that may be executed during analysis. Furthermore, the /article-writer:compile command likely invokes LaTeX engines; if not properly sandboxed, LaTeX features such as \write18 can be used to execute arbitrary shell commands on the host system.
[COMMAND_EXECUTION] (MEDIUM): The skill utilizes a PostToolUse hook to execute ./hooks/check_pages.sh and relies on several local Python scripts (e.g., compile.py, write.py). These provide a direct path for command execution. If the inputs to these tools are influenced by untrusted external content without strict validation, it could lead to local system compromise.
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill is designed to interact with external networks to search Google Scholar and clone Git repositories. While these are core features, they facilitate the entry of potentially malicious untrusted data into the agent's environment.

Article Writer