The Agent Skills Directory

Remote Code Execution (MEDIUM): The file assets/workspace-templates/instructions/dev/python.instructions.md contains a command to install the 'uv' package manager using a piped remote script: powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex". Piped execution (curl|bash or irm|iex) is a critical risk pattern as it executes unverified remote code directly in the shell. The severity is lowered to MEDIUM because it is presented as a documentation template for a common tool, but remains a security concern.
Command Execution (LOW): Multiple prompt templates (e.g., gc_Commit.prompt.md, gcp_Commit_Push.prompt.md) automate shell commands for Git operations. Although the skill includes 'Security Instructions' to avoid git push without permission, the presence of these automated templates increases the risk of accidental data exposure or branch pollution.
Privilege Escalation (LOW): The recommended installation command for uv explicitly uses -ExecutionPolicy ByPass. While standard for many Windows-based developer tools, this is a security bypass technique used to circumvent local script execution restrictions.
Indirect Prompt Injection (LOW): The skill defines complex multi-agent patterns (Orchestrator-Workers, Evaluator-Optimizer) that ingest and process data across multiple stages. This creates an attack surface where a malicious input to one sub-agent could influence the behavior of the entire system. Mandatory evidence chain:
Ingestion points: User requests and file contents read by the Orchestrator.
Boundary markers: Prompts recommend using IR (Intermediate Representation) and structured Markdown delimiters.
Capability inventory: Agents have access to terminal, read, edit, and agent (sub-agent) tools.
Sanitization: Relies on human-in-the-loop review and 'Done Criteria' validation rather than technical escaping.

agentic-workflow-guide