The Agent Skills Directory

[COMMAND_EXECUTION]: The skill invokes secondary agents using high-risk flags, specifically --dangerously-bypass-approvals-and-sandbox for Codex and --dangerously-skip-permissions for Claude Code. These flags are used to automate the review flow but effectively disable user confirmation prompts and sandbox constraints for the child agent.
[PROMPT_INJECTION]: The skill presents an Indirect Prompt Injection surface because it processes untrusted external data (code diffs and specification documents) and passes it directly to another AI agent without sanitization. Ingestion points: Data enters the agent context via git diff HEAD and various files in the .specs/ directory. Boundary markers: The skill uses basic Markdown headers (e.g., ## Diff, ## Specifications) to separate data from instructions but lacks explicit delimiters or specific instructions for the agent to ignore potentially malicious commands embedded in the processed files. Capability inventory: The skill utilizes cmux to control multiple agent workspaces, and the reviewer agents are explicitly granted elevated execution permissions via the bypass flags mentioned above. Sanitization: No escaping, filtering, or validation is performed on the ingested code or specification content before it is interpolated into the prompt for the secondary agent.

cmux-second-opinion