The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): The verify-loop.py script executes commands from task.json using subprocess.run with shell=True. Since task.json is a state file that agents are instructed to update, an agent influenced by malicious codebase content (indirect prompt injection) could inject arbitrary shell commands into the verification queue, leading to host compromise.
INDIRECT_PROMPT_INJECTION (LOW): The skill is designed to perform deep analysis of external codebases, creating a significant attack surface for indirect prompt injection. Evidence Chain: (1) Ingestion points: Codebase files read by code-explorer and code-architect agents. (2) Boundary markers: Absent; the skill lacks delimiters or explicit instructions to ignore embedded commands in ingested files. (3) Capability inventory: Agents have shell access via BashOutput, and verify-loop.py provides a persistence/execution path via task.json. (4) Sanitization: No sanitization or validation of ingested content is performed.
DATA_EXFILTRATION (LOW): The agent prompts define tools for both local file system access (Read, Glob) and external network access (WebFetch, WebSearch). If an agent's instructions are overridden, these tools could be used together to exfiltrate sensitive codebase data or environment variables.

do