The Agent Skills Directory

[COMMAND_EXECUTION]: The example script notify-coordinator.sh provided in examples/complete-agent-examples.md is vulnerable to cross-session command injection. The script parses variables from a local markdown file using grep and sed and passes them to tmux send-keys. Since tmux send-keys injects input directly into the target session's terminal, an attacker who can influence the content of the .claude/multi-agent-swarm.local.md file (e.g., through a malicious pull request or by compromising a data source analyzed by a worker) can execute arbitrary shell commands in the coordinator's tmux session.
[PROMPT_INJECTION]: The swarm-worker agent template is vulnerable to indirect prompt injection. The agent is designed to read and follow instructions found in a local state file. If these instructions contain malicious prompts, the agent may execute unintended actions given its broad tool access including Bash and Write capabilities.
Ingestion points: .claude/multi-agent-swarm.local.md (read by swarm-worker.md template)
Boundary markers: Absent (no delimiters or instructions to ignore embedded commands provided in the template)
Capability inventory: Read, Write, Edit, Bash, Grep, Glob in the swarm-worker.md template
Sanitization: Absent (the agent parses the markdown frontmatter and body directly without validation or escaping)
[SAFE]: The skill provides credits to and derives its structure from the official 'anthropics/claude-code' repository documentation.

agent-creator