The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The task_spec.schema.json and SKILL.md define a custom agent type that allows for an arbitrary shell command to be provided in the JSON task specification. This command is executed by the orchestrator (llm_council.py). An attacker could place a malicious task_spec.json in a repository that the agent is instructed to explore, leading to Remote Code Execution (RCE) on the user's system.
PROMPT_INJECTION (MEDIUM): The SKILL.md file contains a highly irregular instruction for the agent to bypass standard session management: 'DO NOT yield/finish the response until a full 30-minute timer has completed'. This is an explicit behavioral override intended to force the agent into a long-running state, which can be used for resource exhaustion or to prevent the user from interacting with other skills.
INDIRECT_PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection due to its workflow of 'exploring the codebase' to build a task brief. Evidence chain:
Ingestion points: The agent reads arbitrary files within the current repository ('explore the codebase').
Boundary markers: No delimiters or sanitization instructions are provided for the codebase exploration phase.
Capability inventory: The llm_council.py script has the capability to execute shell commands and launch background processes.
Sanitization: There is no validation or escaping of the data gathered from the codebase before it is used to influence the council's execution.
DATA_EXFILTRATION (LOW): The scripts/ui_server.py starts a local HTTP server on 127.0.0.1. While it implements token-based authentication and security headers (CSP, X-Frame-Options), the existence of a local listener that accepts POST actions (/api/) provides a potential local attack surface.

llm-council