The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests user-provided decision descriptions and interpolates them directly into the system prompts of five specialized sub-agents. An adversary could craft a 'decision' description that contains malicious instructions to manipulate the behavior of these sub-agents or the lead agent's final synthesis. * Ingestion points: User input is ingested via the $ARGUMENTS variable in the SKILL.md file. * Boundary markers: The input is placed within labeled sections (e.g., 'THE DECISION:'), but the skill lacks explicit 'ignore embedded instructions' delimiters or warnings for the sub-agents. * Capability inventory: The skill and its sub-agents have the ability to write to the local filesystem (thoughts/ directory), perform web searches/fetches, and execute shell commands. * Sanitization: No sanitization, escaping, or validation of user-provided content is performed before interpolation into prompts.
[COMMAND_EXECUTION]: The skill uses the Bash tool to execute a diagnostic shell command: 'echo "${CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS:-not_set}"'. This is used to determine if experimental multi-agent features are enabled and does not pose a direct security risk, but it represents a functional use of command execution.

kahneman