The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via the plan.json file. Maliciously crafted content in the task.spec, user_intent, or acceptance_criteria fields is directly interpolated into sub-agent prompts, which could be used to override the orchestrator's logic or the sub-agent's behavior.
Ingestion points: The skill reads plan.json using the Read tool in Step 1.
Boundary markers: No explicit boundary markers or 'ignore embedded instructions' warnings are used when interpolating task data into the sub-agent prompt template in Step 3.
Capability inventory: The skill utilizes the Agent tool (for task execution and judging), the Bash tool (for verification commands), and the Read tool (to load the plan).
Sanitization: Step 1 implements a rudimentary keyword-based safety scan (e.g., checking for rm -rf /). This is an insufficient protection mechanism against obfuscated or complex injection attacks.
[COMMAND_EXECUTION]: The skill executes arbitrary shell commands defined in the verify_command field of the plan.json file using the Bash tool (Step 5). This allows for dynamic command execution controlled by the input data.
[PROMPT_INJECTION]: The instructions in Step 1 provide a mechanism to bypass the safety scan. If a safety issue is detected, the agent is instructed to "ask the user whether to continue," which could be exploited through social engineering or by an agent already influenced by a prompt injection.

orchestrate