The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill establishes a workflow where an AI agent reads external content (URLs, docs, specs) and uses that information to update AGENTS.md and IMPLEMENTATION_PLAN.md. These files then control the agent's future actions and the commands executed in the loop.
Ingestion points: specs/*.md, AGENTS.md, and external URLs/docs processed during Phase 2.
Boundary markers: Absent. No delimiters or instructions are provided to the agent to ignore embedded commands in the specs or external data.
Capability inventory: The generated scripts execute codex exec, claude, and arbitrary bash commands via bash -lc "$TEST_CMD". They also have file-write and git-commit capabilities.
Sanitization: Absent. The skill encourages direct interpolation of file content into CLI commands and execution of commands stored in plaintext files.
Command Execution & RCE (HIGH): The skill generates scripts that execute commands defined in AGENTS.md (backpressure commands) or user-provided TEST_CMD strings. Because these commands are executed via bash -lc, an attacker who poisons the implementation plan or specs to modify AGENTS.md can achieve arbitrary code execution on the user's host.
Privilege Escalation (HIGH): The skill explicitly instructs the AI to generate scripts using flags like --dangerously-skip-permissions (Claude Code) and --full-auto (Codex). When combined with an autonomous loop processing untrusted external data, this removes the 'Human-in-the-Loop' safety barrier, allowing an injected instruction to perform destructive actions (e.g., deleting files, exfiltrating data) without user approval.
Persistence (MEDIUM): While not a traditional backdoor, the skill creates a persistent autonomous loop that continues to run and execute commands based on file state until a specific string is detected, which could be exploited to maintain a long-running malicious process.

ralph-loop