The Agent Skills Directory

[PROMPT_INJECTION]: The skill implements a complex multi-agent pipeline (Planner -> Copywriter -> Designer -> Builder -> Evaluator -> Learner) where data flows between specialized components. This creates a surface for indirect prompt injection.
Ingestion points: The system processes untrusted data at multiple stages, including initial user requests ($ARGUMENTS), generated BRIEF documents, and outputs like copy, design specs, and code files.
Boundary markers: The orchestration instructions lack explicit delimiters or isolation protocols to prevent downstream agents from inadvertently following instructions embedded within the data they are processing.
Capability inventory: The orchestrator and its sub-agents have access to powerful tools including Write, Edit, and Bash, which could be exploited if an agent is compromised via indirect injection.
Sanitization: No evidence of content sanitization or validation is described as data moves between the pipeline stages.
[COMMAND_EXECUTION]: The orchestrator manages specialized agents that perform functional code generation and execution.
The 'builder' agent produces code based on design specs, which is then processed by the 'evaluator' agent.
The 'evaluator' agent uses Playwright to run tests, which involves the execution of dynamically generated code and scripts in the local environment.
[COMMAND_EXECUTION]: The evolve subcommand implements a self-modification feature that updates the instructions of agents and skills located in .claude/agents/agency/ and .claude/skills/agency-*/ based on feedback logs.
This represents dynamic instruction generation and persistence of locally-generated logic.
Mitigation: The risk is mitigated by a mandatory human-in-the-loop checkpoint (AskUserQuestion) where the user must preview and approve the proposed changes before they are applied to the system.

agency