The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection. The LoadAgentContext.ts utility (lines 78-83) interpolates user-controlled taskDescription directly into the final agent prompt using simple string concatenation and weak markdown delimiters. An attacker can easily craft a task description that contains markdown headers or instructions to override the pre-loaded agent context.
[REMOTE_CODE_EXECUTION] (HIGH): The CodexResearcherContext.md (lines 61-68) explicitly instructs the agent to use codex exec with the --sandbox danger-full-access flag to enable network and full system access for research tasks. If the search queries are influenced by malicious user input or if the research results contain instructions that the agent executes via this tool, it creates a direct path to code execution with high privileges.
[COMMAND_EXECUTION] (MEDIUM): The skill frequently executes shell commands via bun run and curl. While these are currently targeted at local tools and notification servers, the lack of input sanitization for the messages sent to the notification server (e.g., in CreateCustomAgent.md Step 5) could be exploited to send malicious payloads to local services.
[DATA_EXFILTRATION] (MEDIUM): All Researcher-type agents (Claude, Codex, Gemini, Grok) are designed to ingest large amounts of external data from the web. The combination of high-volume data ingestion with the capability to execute commands and make network requests (via curl or codex exec) creates a significant exfiltration risk if an agent is compromised.

Agents