The Agent Skills Directory

[PROMPT_INJECTION]: The skill contains explicit instructions to override safety constraints and bypass permission checks. Evidence: The expert-roles.md file defines a fallback command for the GLM-4.7 expert that includes the --dangerously-skip-permissions flag. This constitutes an intentional attempt to disable safety filters and remove constraints on a sub-component of the skill.
[COMMAND_EXECUTION]: The skill frequently executes external CLI tools through subprocess calls, which can be risky if the environment is not strictly controlled. Evidence: The expert-roles.md module defines execution patterns for gemini, qwen, and claude-glm using asyncio.create_subprocess_exec. Evidence: The SKILL.md defines Bash as a core tool, granting the agent broad execution capabilities during the deliberation process.
[PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection due to its core functionality of ingesting and analyzing untrusted data. Ingestion points: The skill accepts problem statements and local files (--files argument) as primary inputs for the deliberation panel. Boundary markers: While the skill uses a Merkle-DAG for internal anonymization, it lacks robust delimiters or instructions to prevent expert models from obeying malicious instructions embedded within the ingested files. Capability inventory: The skill has access to Bash, Read, and Write tools, and can perform network operations via the gh CLI. Sanitization: There is no evidence of sanitization or filtering of input data before it is processed by the various LLM experts.
[EXTERNAL_DOWNLOADS]: The skill relies on several unverified external CLI dependencies that must be pre-installed on the host system. Evidence: Dependencies include gemini, qwen, claude-glm, gh, and tmux. The skill does not verify the integrity or source of these binaries, leading to a potential supply-chain vulnerability if a malicious binary is placed in the PATH.
[DATA_EXFILTRATION]: The skill includes a module for publishing deliberation results to external platforms, creating a potential path for data leakage. Evidence: discussion-publishing.md uses the GitHub CLI (gh) to post context, decisions, and deliberation phases to GitHub Discussions. While the skill prompts for user approval, this mechanism could be used to exfiltrate sensitive information extracted from the analyzed files during the deliberation phases.

war-room