The Agent Skills Directory

[PROMPT_INJECTION]: The orchestrator design chains outputs from one agent into the prompts of another using variable interpolation (e.g., {{steps.research.output}}). This enables indirect prompt injection where untrusted data retrieved by one agent can manipulate the instructions given to subsequent agents. * Ingestion points: Prompts and step inputs defined in the workflow YAML. * Boundary markers: None present; data is directly concatenated. * Capability inventory: The skill utilizes the Agent, Read, Write, and Bash tools. * Sanitization: No validation or escaping is performed on interpolated variables.
[COMMAND_EXECUTION]: The workflow engine supports an 'eval' directive for conditional logic and grants sub-agents access to the 'Bash' tool. The evaluation of dynamic expressions containing data from previous steps poses a risk of command injection.
[COMMAND_EXECUTION]: Inconsistency detected between the skill's allowed-tools manifest (Read, Write, Agent, Bash) and the tools requested in the example workflow definitions (e.g., WebSearch), which may lead to unexpected behavior or policy bypass attempts.

sub-agent-orchestrator