The Agent Skills Directory

[COMMAND_EXECUTION]: The skill makes extensive use of the Bash tool to perform git operations, interact with the GitHub CLI, and execute local scripts. Specifically, it uses shell expansion to execute scripts from paths stored in files, which is a high-risk pattern.
[REMOTE_CODE_EXECUTION]: In both 'references/dev-workflow.md' and 'references/bugfix-workflow.md', the skill executes a script named 'sync-github-issue.sh' using a directory path read dynamically from '.dev/cdt/$BRANCH/.cdt-scripts-path'. This creates a vulnerability where a malicious repository could execute arbitrary code if the configuration files in the '.dev' directory are manipulated.
[EXTERNAL_DOWNLOADS]: The workflow instructs the QA-tester teammate to use 'npx agent-browser', which downloads and runs external code from the npm registry during execution.
[PROMPT_INJECTION]: The skill is designed to process untrusted data from GitHub issues and external technical documentation. While it includes mitigation strategies such as delimited 'RESEARCH CONTEXT' blocks and instructions to treat data as reference-only, the agents possess the capability to perform file writes and teammate creation, making them susceptible to sophisticated indirect prompt injection attacks. Ingestion points are identified in 'references/plan-workflow.md' and 'references/researcher-prompt.md'.

cdt