The Agent Skills Directory

COMMAND_EXECUTION (LOW): The skill workflows (e.g., archive-manager, taste-analyzer) frequently invoke local Python and Shell scripts such as crypt_db.py, generate_taste_seeds.py, and exa_research.py. These scripts are located in local directories outside the skill folder, meaning their integrity cannot be verified within this audit.
PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) because it ingests and processes data from external, untrusted web sources.
Ingestion points: scripts/flexible_discovery.py fetches data from the Reddit API; scripts/exa_film_search.py and workflows/film-researcher.md fetch content from the Exa API and various websites via firecrawl.
Boundary markers: No boundary markers (e.g., XML tags) or 'ignore embedded instructions' warnings are used when passing external content to the agent.
Capability inventory: The agent has access to Bash and Edit tools, creating a risk that a successful injection could lead to unauthorized file modification or command execution.
Sanitization: The scripts do not perform sanitization of natural language content to filter for embedded instructions before return.
EXTERNAL_DOWNLOADS (LOW): The skill communicates with non-whitelisted domains (api.exa.ai and reddit.com) to retrieve film metadata and search results. While necessary for the skill's discovery features, these represent external data dependencies.

crypt-librarian