The Agent Skills Directory

REMOTE_CODE_EXECUTION (HIGH): Multiple SKILL.md files (e.g., cto, pm, datalead, infralead) explicitly instruct the agent to run npx skills add 1nference-sh/skills. Since '1nference-sh' is not a recognized trusted source, this allows the agent to download and execute unverified third-party code directly into its execution environment.
EXTERNAL_DOWNLOADS (LOW): The skill collection frequently references and installs dependencies from vercel-labs/skills and anthropics/skills. Per the [TRUST-SCOPE-RULE], these specific sources are considered trusted, resulting in a LOW severity for the download itself, though the execution pattern remains noteworthy.
COMMAND_EXECUTION (MEDIUM): The meta-workflow of this skill set is built around the execution of shell commands (npx) to modify the agent's own capabilities at runtime. This creates a persistent risk where the agent might be coerced into installing malicious tools.
INDIRECT_PROMPT_INJECTION (LOW):
Ingestion points: All user requests enter through the cto skill (.agents/skills/cto/SKILL.md).
Boundary markers: The prompt templates lack explicit delimiters (like XML tags or triple quotes) to separate user-provided task descriptions from system instructions.
Capability inventory: The system has broad capabilities for network access and command execution through the npx skills interface.
Sanitization: There is no documentation or instruction for the agent to sanitize or escape user input before delegating it to specialized skills or using it to search for/create new skills.
DYNAMIC_EXECUTION (MEDIUM): The inclusion of the skill-creator (via anthropics/skills) encourages the agent to generate and execute new instructional scripts at runtime. While the tool source is trusted, the behavior of dynamic code generation based on potentially untrusted user requirements is a medium-risk pattern.

orchestrator