The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The script scripts/generate_pdf.py executes external binaries to process documents.
Evidence: Lines 55 and 82 in scripts/generate_pdf.py use subprocess.run to invoke pandoc and xelatex.
Risk: Malicious markdown content or a crafted LaTeX template could exploit LaTeX primitives (like \write18 or \input) to execute arbitrary shell commands or read sensitive files during the PDF compilation process.
[EXTERNAL_DOWNLOADS] (LOW): The skill performs network operations to retrieve citation metadata from external sources.
Evidence: scripts/verify_citations.py uses the requests library (Lines 38, 54) to query doi.org and api.crossref.org.
Risk: While these are legitimate academic APIs, they represent a dependency on external content that is not strictly validated before being processed.
[PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection through the processing of untrusted external metadata.
Ingestion points: scripts/verify_citations.py ingests data from the CrossRef API; scripts/search_databases.py ingests data from local JSON results files.
Boundary markers: Absent. Data from external sources is interpolated directly into strings for output.
Capability inventory: The skill has file-writing capabilities (PDF/JSON) and prints to the console, which often serves as input for the next agent step.
Sanitization: No sanitization or escaping is performed on fields like 'title', 'authors', or 'abstract'. If these fields contain malicious instructions, a downstream LLM agent reading the generated report may follow them.

literature-review