The Agent Skills Directory

[COMMAND_EXECUTION]: The skill processes a list of operations from an external source (Worker) and executes them directly in a shell context. The instructions explicitly tell the agent to execute 'literally what to run' without any verification or whitelisting, which allows for arbitrary shell command injection.
[DATA_EXFILTRATION]: By granting the ability to execute arbitrary git commands alongside access to host credentials, the skill can be exploited to push sensitive local files, environment variables, or the host's SSH keys to an attacker-controlled remote repository via git push.
[CREDENTIALS_UNSAFE]: The skill is configured to use the host's global git configuration and credentials (SSH keys, credential helpers) by symlinking /host-share/.gitconfig to /root/.gitconfig. This exposes high-value host secrets to any commands sent by potentially untrusted Workers.
[REMOTE_CODE_EXECUTION]: The core logic of the skill involves executing code supplied at runtime from an external entity. Since there are no checks on the 'operations' list, this represents a direct remote code execution vector.
[PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection due to its architecture of ingesting and acting upon instructions from external 'Workers'.
Ingestion points: Untrusted data enters the agent's context through the git-request: block provided in worker messages.
Boundary markers: While the skill uses a structured block format, it lacks instructions to treat the content as data rather than executable instructions, and it fails to provide any 'ignore embedded instructions' warnings.
Capability inventory: The agent has the capability to execute shell commands, perform network operations via git and mc, and access host-level credentials and the filesystem.
Sanitization: There is no evidence of command escaping, validation against a safe schema, or filtering of the user-supplied command list.

git-delegation-management