The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It accepts user-controlled input in the form of the {problem} and {context} variables and interpolates them directly into the system prompts of multiple subagents. If this input contains malicious instructions disguised as data, the subagents may follow them.
Ingestion points: Variables {problem} and {context} in SKILL.md used during agent spawning.
Boundary markers: The skill uses simple textual headers (e.g., PROBLEM:, CONTEXT:) but lacks robust delimiters or explicit "ignore embedded instructions" warnings for the subagents.
Capability inventory: The skill spawns subagents of type general-purpose with bypassPermissions enabled, granting them wide operational scope.
Sanitization: No validation, escaping, or filtering is applied to the user-provided text before it is inserted into subagent prompts.
[PROMPT_INJECTION]: The skill explicitly sets mode: "bypassPermissions" for all dynamically spawned subagents. This configuration suppresses standard security prompts and user confirmations for the subagents' activities. While functional for the multi-agent workflow, it eliminates a critical layer of human oversight, allowing any injected instructions to be executed silently.

multi-lens