The Agent Skills Directory

[COMMAND_EXECUTION]: The file src/aut_sci_ppt/generator/formula_renderer.py uses subprocess.run to execute pdflatex and pdftoppm. The pdflatex command processes a temporary file containing LaTeX code provided by the user. If the local LaTeX environment is not properly restricted, maliciously crafted LaTeX input could be used to read system files or execute arbitrary commands.
[COMMAND_EXECUTION]: The file src/aut_sci_ppt/pdf_extractor.py attempts to execute an external Python script using subprocess.run. The script path is constructed based on a hardcoded location in the user's home directory (~/.openclaw/.../Sh_Sci_Fig/scripts/extract_figure.py), which may lead to the execution of unintended code if that directory is tampered with.
[DATA_EXFILTRATION]: In src/aut_sci_ppt/generator/formula_renderer.py, user-provided LaTeX strings are sent to the external service latex.codecogs.com via an HTTP GET request as a fallback rendering method. This behavior transmits potentially sensitive academic content to a third-party server.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes text extracted from external PDF files. An attacker could embed malicious instructions within a PDF to manipulate the agent's output or behavior during the content structuring phase.
Ingestion points: External text is ingested from PDF files in src/aut_sci_ppt/paper_workflow.py and via direct text input in src/aut_sci_ppt/parser/text_parser.py.
Boundary markers: The skill does not employ explicit boundary markers or delimiters to isolate untrusted data when sending content to the AI parsing layer in src/aut_sci_ppt/parser/ai_parser.py.
Capability inventory: The skill has the ability to execute shell commands (subprocess.run) and make network requests (urllib.request, requests).
Sanitization: There is no specific validation or sanitization of the input text to filter out administrative or override-style instructions before they are processed by the LLM.

aut-sci-ppt