The Agent Skills Directory

[DYNAMIC_EXECUTION]: The script build_graph.py generates a self-contained HTML visualization by injecting highlight data into an HTML template via string replacement. The data is converted to JSON using json.dumps, which does not escape HTML tags by default. If a highlight contains a closing script tag (e.g., </script>), it will prematurely end the data block in the HTML and allow any subsequent malicious JavaScript in the highlight to execute in the user's browser context when the graph is opened.
[INDIRECT_PROMPT_INJECTION]: The skill fetches highlights from Readwise—an external and potentially untrusted data source—and instructs parallel subagents to perform semantic analysis on this text. There are no boundary markers or instructions to treat this content as data only. This creates a surface where an attacker-controlled highlight could contain instructions that override the subagent's logic or influence the generated connections.
Ingestion points: Highlights are fetched via mcp__readwise__readwise_list_highlights or the readwise CLI and stored in /tmp/highlights.json.
Boundary markers: None. Highlights are passed directly to subagents in batches for semantic processing.
Capability inventory: The skill can execute local Python scripts (build_graph.py), write files to /tmp, and launch the system browser using the open command.
Sanitization: The Python script performs basic newline and quote character replacement for preview strings, but the full highlight text used in the sidebar and connection analysis is not sanitized for malicious instructions or HTML escaping.
[EXTERNAL_DOWNLOADS]: The generated HTML visualization references the force-graph library from https://unpkg.com/force-graph. This is a well-known and standard service for delivering open-source packages via CDN.
[COMMAND_EXECUTION]: The skill uses shell commands to execute the build script and open the resulting HTML file. These operations are essential to the primary function of the skill.

highlight-graph