The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The SKILL.md file instructs the agent/user to install the 'parallel-cli' tool using the command curl -fsSL https://parallel.ai/install.sh | bash. Executing remote scripts directly via a shell pipe is a high-risk pattern that allows for arbitrary code execution from an unverified external source.
[EXTERNAL_DOWNLOADS]: The skill relies on downloading and installing several external dependencies, including system-level tools like Pandoc and LaTeX, as well as a custom CLI tool from 'parallel.ai'. While some tools are from well-known sources, the inclusion of unverified third-party installers is a significant security concern.
[COMMAND_EXECUTION]: The script scripts/generate_pdf.py uses subprocess.run to call system binaries (pandoc, xelatex). This allows the skill to execute commands on the host system. While the script avoids shell=True, it remains a vector for command-based risks if inputs are manipulated.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because its primary function is to ingest and synthesize large amounts of untrusted external data from academic databases.
Ingestion points: External paper abstracts, full texts, and metadata retrieved via parallel-cli, gget, and direct API calls.
Boundary markers: None. The instructions do not specify the use of delimiters or 'ignore' instructions when reading search results.
Capability inventory: The skill has the ability to write files to the local filesystem and execute system commands via scripts/generate_pdf.py.
Sanitization: There is no evidence of sanitization or filtering to prevent instructions embedded within academic papers from influencing the agent's behavior during synthesis.

literature-review