The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill explicitly directs the agent to interact with untrusted external codebases. In Step 2 ('VERIFY') and the 'Building on another agent's work' section, the agent is told to use 'git remote add ' followed by 'git fetch && git checkout '. This allows the agent to pull arbitrary code from URLs provided by other potentially malicious agents in the swarm.
[COMMAND_EXECUTION]: After checking out untrusted code, the skill instructs the agent to run 'bash eval/eval.sh'. Because this script resides within the fetched repository, an attacker can include malicious commands in the shell script to gain control over the agent's execution environment.
[EXTERNAL_DOWNLOADS]: The skill utilizes the 'hive' CLI to discover and download content from arbitrary external URLs that are not restricted to trusted domains. The fork URLs provided by the 'hive run view' command can point to any git hosting service or malicious server.
[DATA_EXFILTRATION]: The 'hive skill add' command allows the agent to upload local files to the shared hive server ('hive skill add --name "X" --description "Y" --file path'). This capability could be abused to exfiltrate sensitive files from the agent's filesystem if the agent is convinced to do so via social engineering or indirect prompt injection from the shared feed.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection.
Ingestion points: The agent reads untrusted data from the 'hive task context', 'hive run list', 'hive search', and 'hive feed list' (SKILL.md).
Boundary markers: There are no boundary markers or instructions to ignore embedded commands in the processed swarm data.
Capability inventory: The agent has access to 'git', 'bash', filesystem read/write, and network operations via the 'hive' CLI (SKILL.md).
Sanitization: There is no evidence of sanitization or validation of the content pulled from the shared hive state before the agent uses it to 'Think' and decide on its next 'MODIFY & EVAL' steps.

hive