The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's primary workflow involves inventorying and running commands found in external, untrusted research repositories. Specifically, the 'Trusted Reproduction Flow' in SKILL.md directs the agent to 'Run only documented or clearly justified commands' from these sources.
[REMOTE_CODE_EXECUTION]: The instructions facilitate the setup and execution of external research code, including 'smoke tests, inference, evaluation, or training startup.' This inherently requires downloading and executing code and dependencies (e.g., shell scripts, Python files) from unverified third-party sources.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests untrusted data from external repositories (READMEs, documentation, code comments) without providing boundary markers or instructions for the agent to disregard embedded natural language commands.
Ingestion points: External repository files including README.md, environment files, and scripts as defined in SKILL.md.
Boundary markers: None identified; the skill does not instruct the agent to use delimiters or ignore instructions found within the research artifacts.
Capability inventory: The skill encourages the agent to execute shell commands and scripts to reproduce the environment and results.
Sanitization: No sanitization or validation of the content extracted from external repositories is performed before it is processed by the agent.
[REMOTE_CODE_EXECUTION]: The references/output-contracts.md file mentions the creation of docs/agent/generated/<agent>-mcp.json. If an agent generates or modifies its own tool configuration (MCP) based on instructions or configuration found within a malicious repository, it could lead to the activation of malicious tools or services.

research-repo-reproduction