The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses shell commands via the cmux tool to launch secondary AI agents with configurations that disable security guardrails.
Evidence: In SKILL.md (Step 4) and references/agent-profiles.md, the instructions specify using claude --dangerously-skip-permissions and codex --dangerously-bypass-approvals-and-sandbox as the default "Auto-Approve" mode.
Risk: These flags are designed to bypass human-in-the-loop safety checks and sandbox protections, allowing delegated tasks to perform system operations without user confirmation.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it acts as a bridge, passing user-controlled text directly to an autonomous child agent.
Ingestion points: User-provided task instructions extracted in SKILL.md (Step 1).
Boundary markers: Absent. The {task_prompt} is interpolated directly into the command stream in SKILL.md (Step 6) without delimiters or instructions for the child agent to ignore embedded commands.
Capability inventory: The skill possesses the ability to create terminal workspaces, execute arbitrary commands via cmux send, and read full screen output, while targeting agents running with elevated autonomous permissions.
Sanitization: None. The skill does not validate, escape, or sanitize the user's task prompt before it is transmitted to the secondary agent.

cmux-delegate