The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The core script scripts/orchestrate.sh is vulnerable to shell command injection. The $TASK variable, derived from user input, is expanded inside an unquoted heredoc (cat <<PROMPT) during the prompt construction phase. This allow sany task description containing command substitution syntax (e.g., $(whoami) or `id`) to be executed by the host shell with the agent's privileges.
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill directs users to install the @openai/codex and @google/gemini-cli packages via npm. The @openai/codex package is not an official OpenAI library, which poses a supply-chain security risk as the package's provenance and safety are unverifiable.
[PROMPT_INJECTION] (LOW): The skill employs a multi-stage workflow where the output of one model (Claude) is ingested by another (Codex), which is then reviewed by a third (Gemini). The workflow lacks sanitization or boundary markers (e.g., XML tags or delimiters) when interpolating AI-generated content or user tasks into prompts, making it susceptible to indirect prompt injection.
[DATA_EXPOSURE] (LOW): The skill creates a local directory .kim-orchestrator to store execution logs, technical requirements, and generated code. While intended for traceability, these files may contain sensitive project information that could be exposed if the directory is not properly secured or excluded from version control.

kim-orchestrator