The Agent Skills Directory

[COMMAND_EXECUTION] (CRITICAL): Arbitrary command injection vulnerability in references/external-review.md. The skill executes shell commands that interpolate the content of a local file without escaping or sanitization.
Evidence: The commands gemini ... "$(cat '<planning_dir>/claude-plan.md')" and echo "... $(cat '<planning_dir>/claude-plan.md')" | codex ... evaluate file content inside a shell context.
Risk: An implementation plan (which may be influenced by untrusted web research or malicious user input) containing backticks, subshell syntax $(), or quotes can execute arbitrary commands on the host system.
[INDIRECT_PROMPT_INJECTION] (HIGH): The skill lacks a security boundary when handling external content, allowing data to be interpreted as instructions.
Ingestion points: claude-plan.md (derived from user/research) and claude-research.md (derived from WebFetch).
Boundary markers: Absent. Content is interpolated directly into prompts for subagents and external CLIs.
Capability inventory: Shell command execution, parallel subagent spawning, and recursive file writing.
Sanitization: Absent. There is no escaping of markdown or shell-sensitive characters before data is passed to downstream components.
[DATA_EXFILTRATION] (MEDIUM): Project plans are automatically transmitted to external third-party LLM providers (Google and OpenAI) via CLI tools.
Evidence: references/external-review.md sends the full plan content externally to gemini and codex CLIs.
Risk: Sensitive architectural details or proprietary code patterns in claude-plan.md are exfiltrated to external services without explicit per-file user approval in the automated workflow.
[PROMPT_INJECTION] (LOW): The skill uses persona-adoption instructions ("You are a senior software architect") which, while common, increases the likelihood of an agent prioritizing embedded data instructions over safety constraints in the absence of delimiters.

gepetto