The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it accepts user-controlled names and descriptions that are directly interpolated into the system instructions of generated agents.
Ingestion points: The --name and --desc CLI arguments in scripts/scaffold.py are populated from user input.
Boundary markers: Absent in the Jinja templates (e.g., templates/agent.md.jinja), which do not delimit user-provided data from system instructions.
Capability inventory: The skill performs filesystem write operations and generates executable scripts using the Bash tool.
Sanitization: While resource names are validated against a regular expression (r'^[a-z0-9-]+$'), the description field is used without sanitization, allowing potential instruction injection into the generated configurations.
[COMMAND_EXECUTION]: The scripts/scaffold.py script generates Python scripts from templates and programmatically grants them executable permissions using os.chmod with mode 0o755. This creation and permission modification of executable files at runtime is a core feature but constitutes dynamic code generation.

create-sub-agent