The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash(*) tool to execute various commands, including latexmk -$ENGINE, where $ENGINE is a variable that can be overridden by user arguments. This presents a potential command injection vector if input is not properly sanitized.
[EXTERNAL_DOWNLOADS]: The workflow automatically installs the python-pptx package using pip install if it is not detected on the system. While this is a common library, automatic package installation from external registries carries inherent supply chain risks.
[REMOTE_CODE_EXECUTION]: The skill dynamically generates a Python script (slides/generate_pptx.py) and executes it using python3. Executing code generated at runtime is a high-risk pattern as it can be manipulated if the source data is compromised.
[DATA_EXPOSURE]: The skill checks for the existence of ~/.claude/feishu.json to determine if it should send notifications. While used for integration, accessing sensitive configuration paths in the user's home directory is a behavior typically associated with data harvesting.
[PROMPT_INJECTION]: The skill processes untrusted data from paper sections (paper/sections/*.tex) and uses it to construct prompts for the mcp__codex__codex tool. This creates a surface for indirect prompt injection where instructions hidden in the LaTeX source could influence the model's behavior during the review phase.

paper-slides