The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted text from user-provided PDF and EPUB files.
Ingestion points: The skill reads the extracted book text from /tmp/book_skill_work/full_text.txt during the analysis (Step 3) and generation (Step 7) phases in SKILL.md.
Boundary markers: There are no explicit delimiters or "ignore embedded instructions" warnings used when the agent is instructed to read and summarize the book content.
Capability inventory: The agent has access to powerful tools like Bash, Read, and Write which could be target for misuse if the agent follows malicious instructions hidden within a book.
Sanitization: The skill does not perform any sanitization or filtering of the extracted text before passing it to the model for analysis.
[COMMAND_EXECUTION]: The skill uses shell commands and a Python script to perform file operations and text extraction.
Evidence: The extract.py script uses subprocess.run() to invoke system utilities like pdftotext and pdfinfo. These calls use list-based arguments, which is a recommended security practice to prevent shell injection vulnerabilities.
Evidence: SKILL.md uses several standard tools such as mkdir, cp, find, and cat to manage the skill's directory structure and files.
[EXTERNAL_DOWNLOADS]: The skill relies on and recommends several external dependencies for its functionality.
Evidence: The README suggests installing standard libraries and utilities including poppler-utils, PyPDF2, pdfminer.six, docling, ebooklib, and beautifulsoup4 from official registries.
Evidence: Installation instructions involve downloading the skill components directly from the author's public GitHub repository using curl.

book-to-skill