The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool to invoke a local Python helper script (tools/research_wiki.py). The instructions show the agent interpolating user-provided or externally sourced strings—such as paper titles, authors, and thesis statements—directly into shell command arguments. If these inputs contain shell metacharacters (e.g., backticks, semicolons, or subshell expansions), it could lead to arbitrary command execution on the host system.
[EXTERNAL_DOWNLOADS]: The skill fetches paper metadata and abstracts from the ArXiv Atom API. While ArXiv is a well-known and reputable academic service, the content itself is user-generated and untrusted, serving as an entry point for external data into the agent's persistent environment.
[PROMPT_INJECTION]: The skill exhibits a significant surface for Indirect Prompt Injection. It ingests untrusted data from ArXiv abstracts and stores them in a persistent wiki. This content is later aggregated into a query_pack.md file, which is used as high-priority context for subsequent agent actions like ideation (/idea-creator). A malicious abstract could contain instructions designed to influence the agent's future behavior or bypass constraints.
Ingestion points: ArXiv API (via ingest_paper and sync commands) and user input for paper details.
Boundary markers: None identified. The skill does not define delimiters or specific instructions to the agent to ignore instructions embedded within the ingested text.
Capability inventory: The skill environment includes high-privilege tools such as Bash(*), Write, Edit, and Agent.
Sanitization: There is no evidence of input validation, escaping, or sanitization of external content before it is stored or used in prompts.

research-wiki