The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8). It ingests untrusted LaTeX source files and compiled PDFs into a high-capability reviewer agent (GPT-5.4 via Codex).
Ingestion points: Processes all .tex files in the paper/sections/ directory and the paper/main.pdf file.
Boundary markers: The prompt uses Markdown headers (e.g., ## Paper Files:) to delimit data, which provides weak protection against adversarial content inside the paper files.
Capability inventory: The skill possesses extensive capabilities including Bash(*), Write, Edit, and Agent (calling other skills like /kill-argument). An injection could potentially trick the agent into executing arbitrary shell commands or exfiltrating data.
Sanitization: No sanitization or escaping is performed on the LaTeX content before it is interpolated into the LLM prompt.
[DATA_EXFILTRATION]: The skill accesses a sensitive configuration file outside the working directory.
Evidence: It checks ~/.claude/feishu.json to determine if it should send notifications to the Feishu platform. While this is used for legitimate status reporting, accessing configuration files in the user's home directory is a form of data exposure.
[COMMAND_EXECUTION]: The skill performs extensive shell and script execution.
Evidence: It uses latexmk for document compilation, jq for JSON parsing, and bash for file orchestration.
Dynamic Execution: Step 4.5 implements an inline Python script using a shell heredoc (`python3
<<'PY'`) to perform theorem-statement consistency checks. This is a form of dynamic script generation.
[EXTERNAL_DOWNLOADS]: The skill refers to external tools and repositories.
Evidence: It mentions tools/extract_paper_style.py and suggests running bash tools/install_aris.sh to update dependencies. These scripts are assumed to be part of the local environment or the 'ARIS' repository, but they represent a point where external code is executed.

auto-paper-improvement-loop