The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from terminal outputs which can then influence the agent's next actions.
Ingestion Points: Output is captured in scripts/wait-for-text.sh and via the capture-pane instructions in SKILL.md.
Boundary Markers: None. The skill does not use delimiters or instructions to ignore embedded commands in the captured terminal text.
Capability Inventory: The agent has the ability to execute arbitrary commands via tmux send-keys, manage files, and spawn processes (including other agents like 'Codex' with --yolo flags as suggested in the documentation).
Sanitization: None. Raw terminal output is piped directly into the agent's context or processed via grep.
[COMMAND_EXECUTION] (HIGH): The skill is designed to facilitate command execution. If an agent is compromised via indirect injection from a file it is 'scraping' via a tmux pane, it can be forced to execute malicious shell commands (e.g., recursive deletion, credential harvesting, or reverse shells) using the send-keys functionality.
[DATA_EXFILTRATION] (MEDIUM): The capture-pane functionality allows for the extraction of large amounts of terminal history (up to 2000 lines by default in the scripts). This history may contain sensitive information such as environment variables, hardcoded secrets, or private data displayed during previous CLI operations.

tmux