The Agent Skills Directory

[PROMPT_INJECTION]: The skill explicitly instructs the agent to operate without human oversight or confirmation (“This runs fully autonomously. Do not ask the user for permission or confirmation”), which overrides standard human-in-the-loop safety and verification protocols.
[COMMAND_EXECUTION]: Directs the agent to establish persistence on the host system by setting up 10-minute cron jobs (OpenClaw) or utilizing platform-specific continuous loops (/loop in Claude Code) to maintain long-term execution across sessions.
[EXTERNAL_DOWNLOADS]: Instructs the agent to perform external downloads by running shell commands to install third-party Python packages (semanticscholar, arxiv) and potentially system-level PDF rendering utilities (weasyprint, playwright, wkhtmltopdf).
[DATA_EXFILTRATION]: Encourages the transmission of research findings and plots to external messaging platforms such as Telegram or WhatsApp, which could lead to data exposure depending on the environment configuration.
[PROMPT_INJECTION]: The skill's primary workflow involves the automated ingestion and synthesis of untrusted data from external sources like web searches and scientific databases (arXiv, Semantic Scholar). This creates an attack surface for indirect prompt injection where malicious content in a paper could redirect the research goals or trigger exploitable behaviors.
Ingestion points: Research paper data fetched via Exa MCP, arXiv, and Semantic Scholar.
Boundary markers: Absent; the skill does not specify markers to delimit untrusted research content from agent instructions.
Capability inventory: Full file system write access, execution of other domain skills (training, infra, optimization), and system persistence (cron).
Sanitization: None described for external literature content.

autoresearch