The Agent Skills Directory

Persistence & Privilege Escalation (HIGH): The setup-two-agent-system.sh script performs intrusive modifications to the user's environment. It installs multiple shell scripts into ~/.claude/hooks/ and modifies the global ~/.claude/settings.json file. This allows the skill to persistently monitor and intercept every agent action (PreToolUse, PostToolUse, SessionStart, SessionEnd) across all projects, not just those using the harness.
Command Execution & Dynamic Execution (MEDIUM): The installation script and several hooks (pre-tool-guard.sh, session-progress-check.sh) use python3 -c to execute dynamically generated Python code for JSON processing. These scripts interpolate shell variables into the Python strings, a pattern that can lead to code injection if variables ever contain untrusted input.
Indirect Prompt Injection (LOW): The pre-tool-guard.sh hook makes tool-blocking decisions based on data read from .claude/progress/feature-list.json and a predictable temporary file /tmp/claude-hook-bypass-$$. An attacker capable of writing to these files could bypass the guard or trigger a denial-of-service by causing the agent to block its own tools.
Ingestion points: .claude/progress/feature-list.json, /tmp/claude-hook-bypass-[PID]
Boundary markers: Absent
Capability inventory: Can block tool execution, modify session-state.json, and print mandatory instructions to the agent console.
Sanitization: Relies on python3 JSON parsing; no specific input validation on project data.
External Downloads (LOW): The init-template.sh template includes commands to run npm install, pip install, and bundle install. While these are standard for development projects, they represent a surface for dependency-related attacks if the agent executes them on untrusted projects.

two-agent-harness