The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The skill explicitly supports a 'custom' agent type that executes arbitrary shell commands. This is documented in SKILL.md and defined in references/schemas/task_spec.schema.json, where the 'command' and 'extra_args' fields allow for unconstrained shell activity.
REMOTE_CODE_EXECUTION (HIGH): Because the 'run' command in scripts/llm_council.py takes a path to a task specification file (--spec), an attacker who can trick a user into running a malicious spec file can achieve full code execution on the host.
PROMPT_INJECTION (HIGH): The skill is a classic target for Indirect Prompt Injection (Category 8). Evidence Chain: 1. Ingestion points: The task_spec JSON and the stdout/stderr of external LLM planners are ingested; 2. Boundary markers: Prompt templates in references/prompts.md use {{TASK_BRIEF}} and {{PLANS_MD}} delimiters; 3. Capability inventory: The skill has arbitrary command execution via 'custom' agents and file system write access for logs and artifacts; 4. Sanitization: While it uses an 'Anonymizer' to remove metadata, it lacks robust validation for the content of 'custom' commands or the logic processed by the Judge.
SESSION_MANIPULATION (MEDIUM): SKILL.md contains an explicit instruction for the agent to keep the session open for 30 minutes and not yield. This behavior could be exploited to hide long-running malicious processes from the user or exhaust system resources.

llm-council