The Agent Skills Directory

[COMMAND_EXECUTION]: The skill makes extensive use of system.run to execute shell commands for dependency checking, package installation, and rendering. It interpolates user-provided variables such as {topic} and {description} into shell command strings and file paths (e.g., ls -la outputs/figures/{topic}-fig{N}.png) without explicit sanitization, creating a surface for command injection.
[DYNAMIC_EXECUTION]: The skill generates Python and Mermaid scripts at runtime and executes them via the system shell. The 'ReAct' self-correction loop allows the agent to modify and re-execute failing code up to three times, which can lead to unpredictable execution flows if the agent attempts to resolve errors by adding more complex or potentially unsafe code.
[EXTERNAL_DOWNLOADS]: The skill automatically attempts to install Python packages using pip install and executes remote Node.js packages using npx --yes @mermaid-js/mermaid-cli. While these target well-known registries, the use of --yes bypasses user confirmation for downloading and running remote code.
[CREDENTIALS_UNSAFE]: The instructions suggest storing the OpenRouter API key in MEMORY.md if the user provides one. Storing secrets in plain text in memory or shared workspace files increases the risk of credential theft if other skills or processes gain access to that file.
[DATA_EXFILTRATION]: The AI Image engine (§6) sends user-provided descriptions to an external endpoint (https://openrouter.ai/api/v1/chat/completions) via a Python script. While OpenRouter is a known service, the pattern of taking local data and sending it to a remote API with an associated secret is a primary mechanism for data exfiltration.

Plotting SOP