The Agent Skills Directory

[COMMAND_EXECUTION]: The skill implements a shell here-doc (cat > /tmp/horse-race-winner.patch << 'PATCH_EOF') to save agent-generated code. Because the delimiter PATCH_EOF is static and predictable, a malicious agent could purposefully include this string in its output to break out of the command and execute arbitrary bash instructions on the host system.
[COMMAND_EXECUTION]: Automated maintenance and cleanup are performed using shell pipelines (git worktree list, grep, sed, while read) to remove project directories. This involves piping system information into a loop for execution.
[PROMPT_INJECTION]: The skill architecture relies on agents consuming and improving upon code generated by other agents, creating a surface for indirect prompt injection where malicious instructions can be passed between agents.
Ingestion points: The agent_j_diff content is processed by agents in both Phase 2 (Improvement Rounds) and Phase 3 (Voting) in SKILL.md.
Boundary markers: The prompt instructions use Markdown code blocks (```diff) to delimit agent content.
Capability inventory: The orchestrating agent has permissions for file system writes, shell execution, and git repository management.
Sanitization: No sanitization or escaping is performed on agent-generated diffs before they are processed by other agents or written to the filesystem using shell commands.
[EXTERNAL_DOWNLOADS]: Fetches and installs the skill package from the author's repository using the npx skills install command as described in the README.

horse-race