The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill instructions explicitly command the agent to execute multiple shell operations including pnpm turbo run, uv run pytest, pnpm run docker:up, and various git commands (commit, stash, checkout). These are integrated into the autonomous workflow loop.
[REMOTE_CODE_EXECUTION] (HIGH): The use of pnpm build, pnpm run, and uv run triggers the execution of scripts and dependencies defined in the local environment. If an attacker can influence the project files (e.g., via a malicious PR or dependency confusion), the orchestrator will execute that code with the user's privileges.
[PROMPT_INJECTION] (HIGH): Category 8
Indirect Prompt Injection. The skill is designed to process external untrusted data as a core feature, creating a significant attack surface.
Ingestion points: The skill reads package.json, docker-compose.yml, and scans the entire local file structure during the 'Discovery' phase.
Boundary markers: Absent. There are no instructions to treat data from these files as untrusted or to ignore embedded natural language instructions.
Capability inventory: The agent has full shell access (pnpm, uv, git), file creation/modification rights (writing ARCHITECTURE.md and spec files), and the ability to influence its own logic flow based on the data it reads.
Sanitization: Absent. The data from indexed files is used directly to calculate 'Technical Debt' and inform the 'Vision Board' and 'Blueprint' phases.
[DATA_EXFILTRATION] (MEDIUM): While no explicit external network sends are present, the skill is instructed to index sensitive configuration files like package.json and environments (Section A: Core Configuration). Given the command execution capabilities, a prompt injection via project files could easily exfiltrate these secrets via curl or git push.

genesis-orchestrator