The Agent Skills Directory

PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) because it ingests untrusted user input and external data for processing through high-capability sub-skills. * Ingestion points: User-provided 'idea' in TestIdea.md and web-sourced data via the Research skill in UpdateModels.md. * Boundary markers: Absent; untrusted data is interpolated directly into prompts for RedTeam, Council, and Research skills. * Capability inventory: The skill can execute shell commands (curl), write to persistent local storage (~/.claude/MEMORY/RESEARCH/WorldModels/), and orchestrate multi-agent tasks. * Sanitization: No sanitization or validation of external input is performed before interpolation.
COMMAND_EXECUTION (LOW): The skill instructs the agent to execute shell-based curl commands to a local notification endpoint (http://localhost:8888/notify). * Evidence: Found in SKILL.md and all workflow files. While the destination is a whitelisted local address, these commands interpolate analysis summaries that may contain fragments of untrusted input, creating a potential risk if the local notification service is vulnerable to command injection or if the agent fails to escape the shell string correctly.

WorldThreatModelHarness