The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) where untrusted user input can influence the behavior of spawned sub-agents.
Ingestion points: User input provided via the $ARGUMENTS variable in SKILL.md is ingested and then used to populate prompts for multiple sub-agents.
Boundary markers: The skill fails to use clear boundary markers, such as XML tags or explicit delimiters, when embedding user-provided problem descriptions into the templates for the Simplifier, Analogist, Reframer, Decomposer, and Inverter sub-agents.
Capability inventory: Spawned sub-agents have access to a broad toolset, including file system access (Read, Write, Edit), shell access (Bash), and the ability to spawn further agents or message others, providing a large attack surface if an injection succeeds.
Sanitization: No input sanitization, filtering, or instruction-ignoring guardrails are implemented for the interpolated user content.
[COMMAND_EXECUTION]: The skill uses the Bash tool to execute a transparent diagnostic command (echo "${CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS:-not_set}") to check environment variables before determining the team-spawning logic. This is a legitimate use of the tool for environment detection.

shannon