The Agent Skills Directory

EXTERNAL_DOWNLOADS (HIGH): The script scripts/setup.sh downloads a pre-compiled binary from a GitHub repository (iosifache/annas-mcp) that is not on the trusted organizations or repositories list.
Evidence: setup.sh defines url="https://github.com/iosifache/annas-mcp/releases/download/${ANNAS_VERSION}/${filename}" and uses curl -fsSL "$url" to retrieve it.
REMOTE_CODE_EXECUTION (HIGH): The skill installs and grants execution permissions to the downloaded binary without performing any integrity checks such as SHA-256 checksum verification.
Evidence: setup.sh executes chmod +x "$INSTALL_DIR/annas-mcp" on the downloaded file and the SKILL.md instructions encourage the agent to run this setup.
COMMAND_EXECUTION (MEDIUM): The skill relies heavily on shell command execution for its primary functions, including dependency management and tool configuration.
Evidence: SKILL.md contains multiple blocks for bash and python3 execution, and setup.sh uses pip install and tar operations.
PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection because it fetches and displays book metadata (titles, descriptions) from external, attacker-influenced databases (Z-Library and Anna's Archive).
Ingestion points: Data returned by python3 ${SKILL_PATH}/scripts/book.py search.
Boundary markers: Absent; the instructions in SKILL.md tell the agent to present results in a table without warning it to ignore instructions embedded in the metadata.
Capability inventory: The skill has filesystem write access (download command) and shell execution capabilities.
Sanitization: No sanitization or escaping of the search results is mentioned before presenting them to the user or the agent.

book-tools