The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill builds shell commands by directly interpolating user input into strings that are then executed by sub-agents.
Evidence: In references/discovery-patterns.md, sub-agent prompts include instructions such as Run this command: cass search "<concept>" --json --limit 10 and grep -l "<concept>" .agents/handoff/*.md.
Risk: A malicious user could provide a concept containing shell metacharacters (e.g., "; whoami; #) to execute arbitrary commands with the agent's privileges.
[PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from multiple external sources.
Ingestion points: The skill reads data from cass session history, git logs, and various files within .agents/handoff/, .agents/research/, and .agents/learnings/.
Boundary markers: Absent. There are no delimiters or instructions provided to the agent to distinguish between its own logic and the content being processed.
Capability inventory: The agent has the ability to execute shell commands (via sub-agents) and write files to the local .agents/research/ directory.
Sanitization: Absent. Data from external sources is not sanitized or validated before being incorporated into the final report summary.

trace