The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool to execute several local and external commands. It runs a provider detection script (detect-providers.sh) to discover installed LLM tools and uses CLI commands such as codex exec, gemini, and ollama run to facilitate communication between the council members and different LLM backends.
[COMMAND_EXECUTION]: The protocol in SKILL.md (Step 2) uses the auto_approve=true flag when executing the codex exec tool. This configuration allows actions requested by external AI models to be executed without human confirmation, which could be exploited to perform unauthorized operations if the model is influenced by a malicious prompt.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It ingests a user-provided problem statement through the /council command and propagates this untrusted data to 18 different subagents and multiple external LLM provider prompts. Evidence chain:
Ingestion point: The problem argument in the /council invocation.
Boundary markers: The skill uses markdown headers like 'The problem under deliberation:' in prompt templates, but lacks explicit 'ignore previous instructions' protections for the subagents.
Capability inventory: The coordinator has the ability to execute shell commands (bash) and interact with several external LLM providers.
Sanitization: There is no evidence of explicit input validation or sanitization of the user-provided text before it is interpolated into shell command arguments or subagent prompts.

council