The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill instructions in references/CONVERTING.md and INSTRUCTIONS.md recommend installing the pandoc utility using system-level commands like brew install pandoc. Additionally, it utilizes curl and wget to fetch content from remote URLs for conversion tasks.
[REMOTE_CODE_EXECUTION]: The script scripts/recognize-image.py includes a function ensure_lmstudio that automatically executes pip install lmstudio if the package is missing. This represents a dynamic package installation pattern which can be exploited via dependency confusion or compromised registries.
[DATA_EXFILTRATION]: The script scripts/analyze-skill-usage.sh accesses and parses session log files located in ~/.claude/projects/. These files contain the full history of user interactions, which are sensitive. While the script is intended for local reporting, accessing this directory is a high-privilege operation.
[COMMAND_EXECUTION]: The skill makes extensive use of subprocess execution for lifecycle management and document processing, including node, python, pandoc, and version control commands like jj. It also spawns sub-agents using the Task tool with mode: "bypassPermissions", allowing these agents to execute operations without per-step user confirmation.
[PROMPT_INJECTION]: The skill's primary function is to ingest untrusted external data (PDFs, EPUBs, and Web URLs) and transform them into executable instructions. This provides an attack surface for indirect prompt injection if a source document contains malicious hidden instructions designed to manipulate the agent's behavior during the conversion process.
[PROMPT_INJECTION]: The instructions in INSTRUCTIONS.md include a 'Self-improvement protocol' where the agent is encouraged to automatically update its own code and instructions based on session observations. This could be abused if an attacker can influence the agent's observations through crafted inputs.

authoring-skills