The Agent Skills Directory

COMMAND_EXECUTION (CRITICAL): The SkillSearchAdapter in src/adapters/skill_search.ts uses child_process.exec to run external search tools. The command string is built by interpolating a claim variable that is extracted by an LLM from the paper being reviewed. The sanitization performed (replace(/"/g, '\"')) only addresses double quotes and fails to block subshell execution patterns like $(...) or backticks, enabling arbitrary command injection.
PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted text from academic papers via src/index.ts. The DeconstructionAgent is explicitly instructed in src/prompts.ts to 'Quote, Don't Paraphrase' when extracting claims. This ensures that any malicious shell payloads embedded in the source text are preserved and passed directly to the vulnerable execution component.
CREDENTIALS_UNSAFE (LOW): The skill's configuration logic in src/index.ts and src/adapters/vertex_ai.ts specifically attempts to locate and read a local file named google.json containing highly sensitive Google Cloud service account keys. This represents a risk of credential exposure in shared or insecure environments.
INDIRECT PROMPT INJECTION (HIGH): Mandatory Evidence Chain: 1. Ingestion point: src/index.ts accepts raw text or file paths from user input. 2. Boundary markers: Absent in DECONSTRUCTOR_PROMPT. 3. Capability inventory: System command execution via execAsync in src/adapters/skill_search.ts and file system writes in src/adapters/file_storage.ts. 4. Sanitization: Insufficient shell escaping (only double quotes) is applied to the extracted claims before they are executed in a shell environment.

peer-reviewer