The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill demonstrates a vulnerability surface where untrusted data from external JSON files and user-supplied CLI arguments are interpolated into templates without sanitization.
Ingestion Points: scripts/initialize_assembly.py reads data from pipeline_state.json (untrusted source). scripts/compile_narratives.py accepts free-text arguments (--beneficiaries, --environmental).
Boundary Markers: Absent. No delimiters or instructions are used to separate external data from system templates.
Capability Inventory: The skill performs file writes to a shared operational directory (/srv/janus/03_OPERATIONS/) but does not execute subprocesses or network calls in the provided code.
Sanitization: Absent. Data is directly formatted into markdown and LaTeX files.
Lack of Output Sanitization (LOW): The LaTeX generation logic in scripts/generate_submission_package.py uses simple string replacement without escaping LaTeX special characters (e.g., \, {, }).
Evidence: latex_content.replace(f"{{{{{key}}}}}", value) in scripts/generate_submission_package.py.
Impact: If a user or an automated system compiles the generated .tex file, an attacker who controls the input data could inject LaTeX macros to perform local file reads or execute system commands if the compiler is configured insecurely (e.g., with shell escape enabled).
Broad File System Scope (LOW): The path resolution logic targets a root directory multiple levels above the skill directory.
Evidence: REPO_ROOT = Path(__file__).resolve().parents[4] in scripts/utils.py.
Impact: While intended for a specific project structure (03_OPERATIONS, 01_STRATEGY), this gives the skill access to a wider range of files than necessary for its individual function.

grant-application-assembler