The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill instructions in SKILL.md contain hardcoded database credentials (--user root --pass root) for connecting to a local SurrealDB instance. Hardcoding credentials, even defaults for local development, is a violation of security best practices.
[COMMAND_EXECUTION]: The skill extensively uses the Bash tool to perform automated system operations, including:
Executing SurrealDB CLI queries for context retrieval and state updates.
Running local Python scripts (./scripts/generate-embedding.py and ./scripts/extract-entities.py) for processing manuscript content.
Performing file system management and document generation using mkdir, cat, and shell redirections.
Executing Git commands to maintain version control of the generated manuscript.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes data that may originate from untrusted external sources (research corpus).
Ingestion points: Data is loaded from SurrealDB via multiple queries in SKILL.md (e.g., retrieving writing_task, section, and character data).
Boundary markers: There are no explicit delimiters or system instructions used to isolate retrieved context from the agent's control logic, which could allow malicious instructions embedded in the research data to influence agent behavior.
Capability inventory: The agent has the ability to execute shell commands (Bash), write files (Write), and modify database records (TaskUpdate), providing a significant impact surface if an injection occurs.
Sanitization: The workflow does not include a sanitization or validation step for the content retrieved from the database before it is used to guide the autonomous writing process.
Autonomy: The skill is designed to operate autonomously without human-in-the-loop review between sections, increasing the risk that a successful injection could proceed undetected.

bookstrap-write