The Agent Skills Directory

[Unverifiable Dependencies & Remote Code Execution] (CRITICAL): The manifest file 'patches/manifests/long-running-harness.full.manifest.json' explicitly directs the agent or user to install the skill using a 'curl | bash' one-liner from an untrusted GitHub repository (rexleimo/rex-skills). This allows the remote author to execute arbitrary code on the host machine.
[Dynamic Execution] (HIGH): Scripts such as 'harness-end.sh' and 'harness-verify-e2e.sh' parse an 'e2e_command' from the '.harness-config.json' file and execute it using 'bash -c'. This provides a direct path for arbitrary command execution.
[External Downloads] (MEDIUM): The 'scripts/uninstall.sh' script dynamically downloads a patch file from a non-whitelisted domain using 'curl'.
[Privilege Escalation] (MEDIUM): 'scripts/harness-init.sh' applies 'chmod +x' to a newly created 'init.sh' script. While intended for setup, this is a risk if the file contents are externally influenced.
[Indirect Prompt Injection] (LOW): The skill is vulnerable to indirect prompt injection (Category 8). Evidence: 1. Ingestion points: feature descriptions and steps are read from 'feature_list.json'. 2. Boundary markers: Absent. 3. Capability inventory: The skill has high-privilege capabilities including shell command execution ('bash -c') and git commit operations across all harness scripts. 4. Sanitization: Absent. Input from the JSON file is interpolated directly into progress logs and session plans without escaping or validation.

spec-kit-parallel-orchestrator