The Agent Skills Directory

[COMMAND_EXECUTION]: The README and install.sh promote the use of 'curl -fsSL ... | bash' for installation. This pattern allows for the execution of remote scripts with full user privileges, bypassing security inspections and posing a significant risk of arbitrary command execution if the repository or communication channel is compromised.
[EXTERNAL_DOWNLOADS]: The skill requires the installation of the 'paper-ladder' library directly from a personal GitHub repository (github.com/SteadfastAsArt/paper-ladder.git) rather than a verified package registry. This lack of centralized verification or version pinning increases the risk of supply chain attacks.
[REMOTE_CODE_EXECUTION]: The skill relies on the execution of Python scripts (extract_citations.py) that perform network operations and document parsing. While these are part of the core functionality, the execution of external code during setup and at runtime for citation fetching constitutes a remote code execution vector.
[COMMAND_EXECUTION]: The installation guide suggests using 'chmod -R 755' on the skills directory. While intended for permission management, modifying directory permissions across the skills folder is a broad permission change.
[PROMPT_INJECTION]: The skill identifies and processes data from untrusted document sources, creating a vulnerability to indirect prompt injection. (1) Ingestion points: Document text is ingested via file reading or user input as seen in SKILL.md and scripts/extract_citations.py. (2) Boundary markers: No specific boundary markers or instructions to ignore embedded commands are present in the skill instructions. (3) Capability inventory: The agent can execute shell commands, perform network requests to academic databases, and read/write files. (4) Sanitization: No sanitization or escaping of the ingested document content is performed before it is used to construct queries or influence agent behavior.

citation-verification