The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill utilizes 'forceful language' patterns specifically designed to override the sub-agent's safety filters and confirmation protocols. Evidence includes instructions like 'Do not ask questions', 'Apply changes immediately', 'Do not ask for confirmation', and 'Zero tolerance for nonsense'. The 'Whip Cracking' section contains templates meant to suppress the sub-agent's autonomy, which can be exploited to bypass safety guardrails.
COMMAND_EXECUTION (HIGH): The skill's core functionality relies on the 'gemini' CLI tool being invoked with the '--yolo' flag. This flag is explicitly used to achieve 'auto-approval', removing the human-in-the-loop for file modifications and command execution. Examples in 'workflows.md' show the agent delegating 'npm install' and 'npm test' commands through this unvetted channel.
REMOTE_CODE_EXECUTION (HIGH): Through the delegation workflow, the agent is encouraged to run package installations ('npm install') and execute application code ('npm start') via the sub-agent. Because the manager (Claude) is instructed to 'Apply changes now' without manual verification of the code generated by the sub-agent, this creates a direct path for executing malicious code injected during the generation phase.
INDIRECT PROMPT INJECTION (LOW): The skill has a significant attack surface for indirect injection. It reads external files (untrusted data) using 'Read' and 'Grep', then interpolates that content directly into instructions passed to the 'gemini' CLI. There are no boundary markers or sanitization steps mentioned before this interpolation, though 'antipatterns.md' provides some post-execution verification checks.

gemini-manager