The Agent Skills Directory

[PROMPT_INJECTION] (LOW): Potential for indirect prompt injection. The orchestration logic in SKILL.md passes raw output from search agents (explore, librarian) into the prompt context of agents with write and execution capabilities (develop).
Ingestion points: references/librarian.md fetches content from arbitrary external GitHub repositories and web searches. references/explore.md reads content from the local codebase.
Boundary markers: The skill uses ## Context Pack headers to delimit ingested content in agent prompts, but lacks instructions for agents to ignore malicious commands embedded within that data.
Capability inventory: The develop agent (references/develop.md) has the ability to modify files and execute tests, which can be exploited if an injection succeeds.
Sanitization: No evidence of sanitization, escaping, or instruction-filtering for the content passed between agents.
[EXTERNAL_DOWNLOADS] (LOW): The references/librarian.md agent performs gh repo clone to download external codebases to a temporary directory for analysis. While intended for research, this involves pulling untrusted data into the local environment.
[COMMAND_EXECUTION] (LOW): The skill relies on a custom wrapper codeagent-wrapper to execute shell-based agent tasks. The README.md also references an unprovided installation script python install.py --module omo, which represents an unverifiable initialization step.

omo