The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The file routes/latex.md instructs the agent to execute curl -fsSL https://drop-sh.fullyjustified.net | sh to install the Tectonic LaTeX engine. This pattern pipes a remote script directly into a shell interpreter, which is a high-risk operation that bypasses verification of the code being executed.
[EXTERNAL_DOWNLOADS]: The script scripts/compile_latex.py dynamically attempts to install the pypdf library via pip at runtime if it is missing from the environment. Similarly, the pdf.sh script under the fix command performs global installations of the playwright npm package and Python dependencies such as pikepdf and pdfplumber using npm and pip.
[COMMAND_EXECUTION]: Multiple scripts within the skill utilize subprocess.run or execSync to run system binaries. Specifically, scripts/compile_latex.py executes tectonic, scripts/cmd_convert.py runs soffice (LibreOffice), and scripts/pdf.sh executes various shell utilities. Some calls in scripts/browser_helper.js use shell: true, which increases the potential for command injection.
[PROMPT_INJECTION]: The skill represents a surface for indirect prompt injection because it processes complex user-provided data (HTML and LaTeX) and possesses high-privilege capabilities. 1. Ingestion points: Untrusted data enters the agent context through the files processed by scripts/html_to_pdf.js, scripts/compile_latex.py, and scripts/pdf.py. 2. Boundary markers: There are no explicit markers or safety instructions used to wrap the untrusted content during processing. 3. Capability inventory: The skill can execute shell commands, perform browser automation via Playwright, and write to the local file system. 4. Sanitization: No sanitization or validation of the internal content of HTML or TeX files is performed prior to rendering or compilation.

kimi-pdf