The Agent Skills Directory

[COMMAND_EXECUTION]: The configuration templates for both the news and code agents in SKILL.md explicitly include the exec tool in their tools.allow configuration. This grants these agents the ability to execute shell commands directly on the environment where the agent is running.
[REMOTE_CODE_EXECUTION]: The News Agent configuration pairs the web_fetch capability (fetching content from arbitrary URLs) with the exec tool. This pattern is highly susceptible to indirect prompt injection, where a malicious website could provide instructions that the agent then translates into executable commands.
[DATA_EXFILTRATION]: The Code Agent is granted read, write, and edit capabilities. When combined with its ability to communicate via the message tool or spawn new sessions, this architecture facilitates the unauthorized reading and transmission of sensitive local files.
[PROMPT_INJECTION]: The 'Intelligent Spawn' system relies on the Main Agent to parse user-supplied task descriptions and route them to sub-agents. This design lacks robust boundary markers, allowing a user to potentially inject instructions that bypass intended restrictions or trick the system into routing a malicious payload to an agent with high-privilege tools like exec.
Ingestion points: External web content via web_fetch in the news agent; user-provided task strings in sessions_spawn calls within SKILL.md examples.
Boundary markers: No boundary markers or 'ignore' instructions are present in the system prompt examples or configuration files.
Capability inventory: exec, read, write, edit, web_fetch, and message tools distributed across various agent configurations.
Sanitization: The skill lacks any documentation or implementation of input sanitization or validation before passing data to the exec or sessions_spawn functions.

multi-agent-architecture