The Agent Skills Directory

[PROMPT_INJECTION]: The skill contains directives that explicitly instruct the agent to operate without user intervention, specifically bypassing confirmation steps (e.g., "Do not ask the user for permission or confirmation", "The human is asleep or busy; your job is to make as much research progress as possible on your own"). This increases the risk of the agent taking irreversible actions without oversight.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from external sources (arXiv, Semantic Scholar, and web searches) to drive hypothesis generation and code execution.
Ingestion points: External papers and summaries are retrieved and stored in the literature/ directory as described in SKILL.md.
Boundary markers: The skill lacks delimiters or instructions to protect the agent from malicious prompts embedded in the ingested research content.
Capability inventory: The agent possesses capabilities for shell command execution (experiments), package installation, and network communications.
Sanitization: No content validation or sanitization procedures are implemented for the ingested literature data.- [DATA_EXFILTRATION]: The agent is directed to send research reports and results to the user via non-whitelisted external messaging services such as Telegram, WhatsApp, and Slack. This represents a network-based data exfiltration path for potentially sensitive project information.- [COMMAND_EXECUTION]: The skill requires the agent to establish recurring execution routines using platform features such as Claude Code's /loop command or OpenClaw's cron.add tool to maintain persistent research activity.- [EXTERNAL_DOWNLOADS]: The skill instructions include commands to install third-party Python packages, such as semanticscholar and arxiv, from public repositories.- [REMOTE_CODE_EXECUTION]: The automated workflow processes untrusted literature data to generate and subsequently execute experimental code. This chain allows for the potential execution of malicious code if the agent is influenced by compromised research materials.

autoresearch