The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: Both SKILL.md and README.md instruct the user and the agent to install the parallel-cli tool by piping a script from a remote URL directly into a shell: curl -fsSL https://parallel.ai/install.sh | bash. This pattern allows for arbitrary code execution if the remote server is compromised or the connection is intercepted.
[COMMAND_EXECUTION]: The scripts/generate_schematic.py script utilizes subprocess.run to orchestrate the execution of scripts/generate_schematic_ai.py. It passes user-provided input, such as diagram descriptions, as command-line arguments. While shell=True is not used, this still constitutes runtime command execution based on untrusted input.
[EXTERNAL_DOWNLOADS]: The skill performs multiple external network operations, including fetching the installation script from parallel.ai, making API calls to api.parallel.ai for research synthesis, and connecting to openrouter.ai to access Perplexity's academic search models.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests untrusted data from external web and academic searches and processes it within the agent's context without adequate safety measures.
Ingestion points: The skill fetches research findings from external APIs and saves them to local files in the sources/ directory, which are then read by the agent.
Boundary markers: There are no delimiters or specific instructions provided to the agent to treat content in the sources/ files as untrusted data or to ignore any embedded instructions within that data.
Capability inventory: The agent is granted significant capabilities, including the Bash tool for shell command execution and Write/Edit tools for file modification.
Sanitization: No evidence of sanitization, filtering, or escaping of the external search content was found before the data is interpolated into the agent's context.

research-lookup