The Agent Skills Directory

[COMMAND_EXECUTION]: The compilation command in Phase 2a (cd <project-dir> && latexmk ... <filename>.tex) uses string interpolation to build a shell command. If the <project-dir> or <filename> arguments contain shell metacharacters like ";", "&&", or "|", it allows for arbitrary command execution on the host system.
[COMMAND_EXECUTION]: In Phase 1, the skill modifies the ".latexmkrc" configuration file to include a Perl "system()" call: "system("cp $out_dir/*.pdf . 2>/dev/null")". Since latexmk automatically executes the contents of ".latexmkrc" as Perl code, this creates a mechanism where shell commands are executed based on a configuration file that the agent is instructed to modify and trust.
[PROMPT_INJECTION]: The skill implements an autonomous "Compile-Fix Loop" (Phase 2) that parses LaTeX log files ("out/.log") to automatically modify the source ".tex" files. An attacker could craft a malicious LaTeX document that, when compiled, generates specific log signatures designed to trick the agent into performing harmful edits or package injections (Indirect Prompt Injection).
Ingestion points: "out/.log" (generated from untrusted source), ".tex" files, and ".bib" files.
Boundary markers: None. The skill lacks delimiters or instructions to ignore embedded commands within the log data.
Capability inventory: Access to tools including Bash, Write, Edit, and Grep.
Sanitization: The skill performs no validation or escaping of the content extracted from log files before using it to apply auto-fixes.

latex-autofix