The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its worker creation logic.
Ingestion points: The task dictionary in SKILL.md (specifically the id, name, acceptance, and task_instructions fields) acts as an entry point for untrusted data.
Boundary markers: Absent. Untrusted content is substituted directly into placeholders like {task_instructions} and {acceptance} within the generated worker_skill and dispatch_prompt without using delimiters or instructions to ignore embedded commands.
Capability inventory: The skill utilizes write_file to create new skill definitions, os.makedirs for directory management, and the Task tool to execute subagents with the generated prompts in SKILL.md.
Sanitization: Absent. There is no escaping or validation of task-provided strings before they are interpolated into executable instructions or system prompts.
[COMMAND_EXECUTION]: The skill performs dynamic script generation and file system operations based on external input.
The create_worker_agent function programmatically generates SKILL.md files for worker agents, which are subsequently executed via the Task tool.
The construction of the worker_skill_path in SKILL.md incorporates the task['id'] value directly into a file path (.claude/skills/workers/{worker_id}/SKILL.md). Without proper sanitization, this allows for potential path traversal, enabling the writing of skill files to unauthorized locations if the task ID contains directory traversal sequences.

agent-factory