The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads content from workspace files (like CLAUDE.md and the memory/ directory) and interpolates this untrusted data into prompts for its sub-agents. An attacker who can influence the content of these files could potentially manipulate the council's output or behavior.
Ingestion points: Workspace files such as CLAUDE.md, claude.md, and files within the memory/ folder are read in Step 1.
Boundary markers: The skill uses triple dashes (---) to delimit the framed question in advisor and reviewer prompts.
Capability inventory: The skill utilizes a Task tool to spawn parallel sub-agents and includes capabilities to write and open HTML and Markdown files.
Sanitization: No evidence of sanitization or escaping of the ingested file content was found before interpolation.
[COMMAND_EXECUTION]: In Step 5, the skill generates an HTML report and automatically opens it for the user. While the instructions specify the use of inline CSS, the automated opening of LLM-generated files in a browser presents a minor execution risk if the generated content were to contain malicious client-side code.

llm-council