The Agent Skills Directory

[Remote Code Execution] (HIGH): The skill's installation and setup scripts involve downloading and executing remote code via shell pipes and repository cloning. Evidence: Multiple instances of 'curl | bash' or 'curl | sh' were detected targeting astral.sh, rams.ai, and githubusercontent.com. The skill also clones 'https://github.com/AvivK5498/The-Claude-Protocol' and runs a 'bootstrap.py' script from the clone.
[Dynamic Execution] (MEDIUM): The 'mcp-provider-delegator' component facilitates dynamic execution of agent logic by passing prompts to external CLI tools (Codex and Gemini). Evidence: 'provider_client.py' uses 'asyncio.create_subprocess_exec' to invoke external AI providers with generated prompts.
[Command Execution] (LOW): The skill installs numerous shell-based 'hooks' into the agent's environment (e.g., '.claude/hooks/') to enforce workflow rules. These scripts run automatically during various tool lifecycle events. Evidence: Multiple shell scripts in 'templates/hooks/' are deployed to the local filesystem.
[Indirect Prompt Injection] (LOW): The system is designed to ingest and process data from external, potentially untrusted sources like git commit history and task comments. Ingestion points: 'bd comments', 'git log', and browser tools in 'detective.md'. Boundary markers: Uses XML-like tags (e.g., '') but lacks robust sanitization for interpolated data. Capability inventory: Specialized agents have extensive tool access including 'Bash', 'Write', and 'Task' execution. Sanitization: No explicit content filtering or escaping of ingested data is implemented.

create-beads-orchestration