The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection in the provided orchestration examples and templates. User-supplied queries are interpolated directly into agent prompts (e.g., in references/examples.md and assets/example_coordinator.ts) without adequate protection.
Ingestion points: Untrusted data enters the agent context through the query field in CoordinatorInput and the ticketText parameter in various orchestrator functions.
Boundary markers: The implementation examples do not use delimiters like XML tags or triple backticks, nor do they include explicit instructions for the model to ignore instructions embedded within the user data.
Capability inventory: The skill manifest in SKILL.md grants broad capabilities, including Bash(npm:*), Read, Write, and Edit, which could be exploited if an agent is successfully subverted via an injection attack.
Sanitization: There is no evidence of validation, escaping, or sanitization logic to filter out potentially malicious commands from user inputs before they reach the language model.
[COMMAND_EXECUTION]: Files in the scripts/ directory (agent_setup.sh, dependency_installer.sh, env_setup.sh) are Python scripts mislabeled with .sh extensions. These scripts perform benign file and directory management tasks related to project initialization and do not execute malicious commands or download remote content, although they do not perform the dependency installation or credential management described in their documentation.

orchestrating-multi-agent-systems