The Agent Skills Directory

[COMMAND_EXECUTION]: The skill documentation (SKILL.md and references/permissions-and-isolation.md) instructs users to set mode: "bypassPermissions" for sub-agents. This configuration disables interactive approval for sensitive actions like bash command execution and file system modifications, allowing autonomous agent behavior without a human-in-the-loop.
[PROMPT_INJECTION]: The system architecture creates a surface for indirect prompt injection through specialist agents that process untrusted data from external sources.
Ingestion points: Agents such as the researcher (utilizing agent-browser) and marketer (utilizing x-research) are designed to ingest content from the public web and social media platforms as described in references/agent-roster.md.
Boundary markers: While a Boundaries section is suggested in the spawn prompt guide (references/spawn-prompt-guide.md), there are no specific delimiters or instructions for the agent to ignore or isolate potentially malicious commands embedded in external data.
Capability inventory: Sub-agents possess significant capabilities, including tool invocation and file editing, which are particularly sensitive when permission prompts are bypassed.
Sanitization: The skill does not provide mechanisms for sanitizing or validating the untrusted content fetched by the specialist agents.
[DATA_EXFILTRATION]: Several agents in the roster, such as the integration-expert and researcher, utilize tools with network access (e.g., Resend API, web browsers). These capabilities enable agents to communicate with external domains, which could be misused for data transfer.

deploy-agent-team