The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The script scripts/run-grunk-loop.sh automatically executes npm install if it detects a package.json file in the task worktree. This allows for the execution of arbitrary code via npm lifecycle scripts (e.g., preinstall, postinstall) if the repository being worked on contains malicious configurations.
[COMMAND_EXECUTION]: The skill and its associated scripts execute numerous shell commands, including git operations (git worktree, git push, git commit), task management via the bd tool, and Python-based JSON processing. While mostly functional, these commands are executed with parameters derived from external task data.
[DATA_EXFILTRATION]: The skill is configured to automatically commit all changes (git add -A) and push them to a remote repository. If an attacker leverages the prompt injection vulnerabilities described below, they could trick the agent into staging and pushing sensitive files (like .env or SSH keys) to a remote server.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by design. It treats instructions found in GUARDRAILS.md and task descriptions from the bd tool as authoritative rules for its behavior.
Ingestion points: Instructions are read from GUARDRAILS.md (or .opencode/GUARDRAILS.md) and task metadata retrieved via bd show.
Boundary markers: None. The skill directly executes patterns defined in the ingested files.
Capability inventory: Subprocess execution, file system modification, network exfiltration (via git push), and package installation.
Sanitization: None. The content is cat-ed and its rules are followed immediately.
[COMMAND_EXECUTION]: SKILL.md attempts to load and follow rules from an external local file path ~/.agents/skills/caveman/SKILL.md. If this location is writable by other processes or if the agent is tricked into creating it, it can serve as a persistent injection vector for malicious instructions.

grunk