The Agent Skills Directory

[COMMAND_EXECUTION]: The skill facilitates the creation of sub-agents with full access to the host system via the Bash tool.
Evidence: SKILL.md and references/available-tools.md explicitly define and encourage the use of the Bash tool for "executing Shell commands" across multiple examples (e.g., code-reviewer, debugger, data-scientist).
[COMMAND_EXECUTION]: The architecture supports a privilege mode that removes human-in-the-loop safety checks.
Evidence: SKILL.md documents the bypassPermissions value for the permissionMode field, which allows sub-agents to perform actions without requiring user approval.
[EXTERNAL_DOWNLOADS]: Sub-agents can be configured to interact with remote web resources.
Evidence: references/available-tools.md lists WebFetch and WebSearch as available tools for sub-agents to fetch and process arbitrary web content.
[DATA_EXFILTRATION]: The concurrent availability of file system access and network tools enables the unauthorized transmission of local data.
Evidence: A sub-agent configured with both Read/Grep (to access local files) and WebFetch (to reach external URLs) can be easily prompted to exfiltrate sensitive local data.
[PROMPT_INJECTION]: The skill defines a framework vulnerable to indirect prompt injection through data ingestion points.
Ingestion points: Sub-agents ingest data via the Read tool (local source code/logs) and the WebFetch tool (external web content).
Boundary markers: The provided templates (assets/subagent-template.md) and instructions lack requirements for delimiters or instructions to ignore embedded commands in processed data.
Capability inventory: Sub-agents possess high-impact capabilities including Bash command execution, Write/Edit file modification, and network access.
Sanitization: There are no requirements or examples provided for sanitizing or validating external content before it is processed by the agent's logic.

subagent-creator