The Agent Skills Directory

[DATA_EXFILTRATION]: The skill implements a recursive parent directory search for .env files in scripts/lib/gemini_backend.py. This behavior can lead to the unintended ingestion of sensitive credentials from unrelated projects or the user's home directory if the plugin is executed from a nested folder.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection (Category 8) due to its multi-agent orchestration design.
Ingestion points: User-provided tasks enter the system via the --task argument in run_council.py and run_deliberate.py, and the --question argument in run_debate.py.
Boundary markers: The skill lacks robust boundary markers or 'ignore' instructions when interpolating the user task into agent prompts (e.g., OPINION_PROMPT, OPENING_ARGUMENT_PROMPT).
Capability inventory: The skill possesses the capability to execute arbitrary commands via the claude and codex CLI backends and perform network operations via the Gemini API.
Sanitization: No sanitization or safety-filtering is performed on the input task beyond a 100KB length limit.
[COMMAND_EXECUTION]: The skill frequently executes external CLI tools (claude, codex) using asyncio.create_subprocess_exec. While it uses the list-style invocation which protects against shell injection, it passes user-influenced prompts directly to these external AI agents which then execute code in their own environments.

agent-tower-plugin