The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via worker metadata.
Ingestion points: The scripts/find-worker.sh script reads SOUL.md files from worker-controlled directories (e.g., /root/hiclaw-fs/agents/<worker_name>/SOUL.md) to extract role descriptions.
Boundary markers: Absent. The extracted role descriptions are incorporated into a JSON response used by the Manager Agent to make delegation decisions without delimiters or instructions to ignore embedded content.
Capability inventory: The Manager Agent has significant capabilities, including file system access, state manipulation, and the ability to execute shell scripts and notify administrative channels.
Sanitization: Absent. Content is extracted using awk and sed with no validation or escaping of potentially malicious instructions.
[EXTERNAL_DOWNLOADS]: The skill references https://skills.sh as a default registry for skill discovery and worker creation in references/worker-selection.md. This constitutes an external dependency for code and capability discovery that is not part of the standard trusted vendor list.
[COMMAND_EXECUTION]: The skill relies extensively on shell scripts for its core logic.
scripts/manage-state.sh: Directly manipulates ~/state.json using jq, which is used for tracking all active agent tasks.
scripts/find-worker.sh: Performs multiple file reads and shell operations to aggregate worker status.
references/finite-tasks.md: Instructs the agent to use mc (MinIO Client) for pushing and pulling task files to/from remote storage.
[DATA_EXFILTRATION]: The skill accesses several system and configuration files, including ~/state.json, ~/workers-registry.json, ~/worker-lifecycle.json, and ~/primary-channel.json. These files contain sensitive metadata about the agent environment, worker configurations, and communication channels. The use of mc to synchronize these directories with external storage creates a potential path for data exposure.

task-management