The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): The file assets/hook-examples.yml defines hooks (TeammateIdle, TaskCompleted) that trigger the execution of bash scripts located in the project's .claude/hooks/ directory via computed paths ($CLAUDE_PROJECT_DIR). Risk: An attacker or a compromised agent with write access to the repository could replace these scripts to achieve persistent code execution whenever standard agent lifecycle events occur.
PROMPT_INJECTION (LOW): The skill establishes an Indirect Prompt Injection surface via the messaging protocol defined in assets/message-formats.yml. Ingestion points: Agents read from ~/.claude/teams/{team}/inboxes/{agent}.json (messages from other teammates). Boundary markers: Messages are wrapped in XML tags during rendering, but the schema lacks explicit sanitization. Capability inventory: Teammates execute shell commands (via hooks), manage tasks, and approve plans. Sanitization: No sanitization is present for message text fields, allowing for potential peer-to-peer injection.
EXTERNAL_DOWNLOADS (LOW): The hook scripts in assets/hook-examples.yml execute npm run lint and npm test. Evidence: Scripts use npm to perform validation gates. Risk: Running package manager commands in a local directory can trigger the execution of arbitrary code defined in package.json scripts or dependencies.

agent-teams