The Agent Skills Directory

[COMMAND_EXECUTION]: The skill features a 'Custom Phase Hooks' mechanism defined in a hooks.json configuration file. This allows the execution of arbitrary external scripts, including shell scripts (.sh), JavaScript (.js), and Python (.py) files, at various stages of the novel-building process (e.g., before_topic, after_final). If a user is tricked into using a malicious configuration or if the skill is distributed with malicious scripts, this could lead to unauthorized code execution.
[DATA_EXPOSURE]: The skill extensively uses a local hidden directory (.sumeru/) to store session configurations, user requirements, and generated content. This centralized storage of structured data and logs increases the impact of potential data exposure or unauthorized access to the project's intellectual property and metadata.
[PROMPT_INJECTION]: As an orchestrator that passes data between several autonomous sub-agents (sumeru-topic, sumeru-outline, sumeru-write, etc.), the skill is susceptible to indirect prompt injection. Malicious or adversarial content generated in an early phase (like a 'topic' or 'outline') could influence the behavior of subsequent agents without sufficient sanitization or boundary markers identified in the orchestration logic.
Ingestion points: .sumeru/session/user-requirements.json, .sumeru/outline/chapter-outlines.json, and outputs from various sub-agents.
Boundary markers: None identified in the provided coordination logic.
Capability inventory: File system read/write, coordination of multiple sub-agents, and execution of shell/python/js scripts via hooks.
Sanitization: No explicit sanitization or validation of data passed between agents is described.

sumeru-worldbuilder