The Agent Skills Directory

[PROMPT_INJECTION]: Indirect Prompt Injection Surface (Category 8). The skill is designed to extract and process untrusted content from research papers which could contain malicious instructions.
Ingestion points: The skill reads LaTeX source files (*.tex) to extract surrounding context for every citation (Step 2).
Boundary markers: The prompt used for the reviewer model (mcp__codex__codex) uses basic markdown headers like ## Where this entry is cited in the paper but lacks explicit instructions to the model to ignore any potential commands or overrides embedded within the paper's text.
Capability inventory: The skill has access to sensitive capabilities including file modification (Edit, Write) and shell command execution (Bash for latexmk). If a malicious paper successfully tricks the reviewer model into providing a compromised verdict, the agent might execute unintended actions during the fix-application phase (Step 6).
Sanitization: There is no logic for sanitizing or escaping the extracted paper context before it is interpolated into the reviewer prompt.
[COMMAND_EXECUTION]: The skill utilizes the Bash tool to perform project recompilation using latexmk (Step 7). While this is a standard and necessary operation for a LaTeX auditing tool, it represents a capability that could be exploited if the paper being audited contains malicious LaTeX code designed to trigger side effects during compilation.

citation-audit