The Agent Skills Directory

[COMMAND_EXECUTION]: The skill documents the use of the --dangerously-skip-permissions flag with the Claude CLI in automation scripts (e.g., multi_agent/start.py). This flag explicitly bypasses the AI's safety prompts for tool use, allowing automated execution of commands without human oversight.
[COMMAND_EXECUTION]: Multiple agents defined in the system (dispatch, plan, implement, check, debug) are granted Bash and Write tool permissions, enabling them to execute arbitrary system commands and modify files.
[REMOTE_CODE_EXECUTION]: The 'Ralph Loop' quality enforcement system (ralph-loop.py) and the post_create hook in worktree.yaml execute arbitrary shell commands defined in user-editable configuration files. This allows for the execution of arbitrary code during the automated workflow lifecycle.
[DATA_EXFILTRATION]: The system is designed to copy sensitive environment files, such as .env and .env.local, between directories during 'worktree' creation. While intended for local development isolation, this mechanism handles sensitive project secrets.
[PROMPT_INJECTION]: The inject-subagent-context.py hook performs prompt interpolation by reading contents from various files (as defined in JSONL files) and prepending them to the agent's instructions. This creates a surface for indirect prompt injection where malicious content in a project file could override agent behavior.
Ingestion points: Files listed in *.jsonl (e.g., implement.jsonl, check.jsonl) and requirements in prd.md.
Boundary markers: Uses simple text headers like === [filename] === to delimit injected content.
Capability inventory: Agents have access to Bash, Write, Edit, and the Task tool (subagent invocation).
Sanitization: No explicit sanitization or escaping of the injected file contents is documented.

trellis-meta