The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill dynamically generates a bash script ('run-agent.sh') and executes it after modifying its permissions using 'chmod +x'. This runtime generation and execution of code bypasses static analysis.
[REMOTE_CODE_EXECUTION]: The skill executes external scripts ('wait-for-text.sh', 'diagnose-agents.sh') located in hardcoded local paths outside of the skill directory. These external dependencies are unverifiable and create a risk if the local environment is compromised.
[COMMAND_EXECUTION]: The skill utilizes 'tmux send-keys' to execute commands in background panes, interpolating domain names and model identifiers into the shell commands. This lack of sanitization for research topic inputs creates a risk of command injection.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. Ingestion point: 'output.md' files generated from web search results. Boundary markers: Absent. Capability inventory: 'Bash', 'Write', 'Edit', and 'tmux'. Sanitization: Absent. Sub-agents are granted 'Bash' and 'Write' tools, which could be abused if they ingest malicious web content.
[PROMPT_INJECTION]: The skill relies on natural language instructions ('DO NOT modify any files') to constrain the behavior of sub-agents instead of technical sandboxing or restricted toolsets, making it susceptible to jailbreak or instruction override patterns.

parallel-research