The Agent Skills Directory

Remote Code Execution (CRITICAL): The skill documentation and CLI reference explicitly promote the use of the --dangerously-bypass-approvals-and-sandbox flag with the Codex CLI. This configuration allows the AI to execute arbitrary code on the host system without sandboxing, isolation, or user confirmation. Evidence: SKILL.md CLI reference section.
Command Execution (HIGH): The executor-prompt.md instructions guide the agent to perform various shell operations, including file system navigation, file content reading, and git repository modification. The autonomous nature of the execution loop means these commands are run without manual verification. Evidence: templates/executor-prompt.md Steps 1, 4, and 8.
Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface for Category 8 indirect injection. Untrusted data from user-provided task descriptions is used by the Initializer to create a task_list.md, which the Executor subsequently processes. There is a total lack of boundary markers, sanitization, or validation of the tasks generated from external input. Evidence: Ingestion in templates/initializer-prompt.md and execution in templates/executor-prompt.md.
Data Exfiltration (MEDIUM): By providing a --network option that leverages the unsandboxed execution mode, the skill grants the AI the capability to transmit sensitive local data or environment secrets to external domains. Evidence: SKILL.md script options and usage examples.

autonomous-skill