The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructions direct the agent to dynamically assemble and execute shell commands using user-supplied strings (such as names and keywords) and results fetched from external research APIs. For example, professor names are interpolated into Bash command templates: bash ~/.claude/skills/search-lit/references/pubmed_eutils.sh search '"[Full Name]"[Author]' 200. This pattern is susceptible to command injection if inputs are not strictly sanitized.
[REMOTE_CODE_EXECUTION]: By executing Python one-liners and Bash scripts with arguments derived from external sources (e.g., PubMed metadata, MeSH terms) and untrusted user input, the skill risks triggering arbitrary code execution. An attacker could potentially craft an input (like a name or keyword) that breaks out of the intended shell context to execute unintended commands.
[EXTERNAL_DOWNLOADS]: The skill retrieves research data and publication metadata from well-known and reputable scientific platforms including PubMed (NCBI), Google Scholar, Consensus, and bioRxiv/medRxiv. These network operations are aligned with the skill's stated purpose for literature review and do not target malicious domains.

ma-scout