The Agent Skills Directory

[Privilege Escalation] (HIGH): The skill configuration and documentation consistently promote the use of the '--dangerously-skip-permissions' flag for spawned Claude agents (found in config.json and reference/best-practices-full.md). This disables the critical security boundary that requires human approval for tool usage, allowing sub-agents to perform potentially destructive actions autonomously on the host system.
[Command Execution] (MEDIUM): The skill implements lifecycle hooks (e.g., TeammateIdle, TaskCompleted) designed to execute arbitrary local shell scripts like './scripts/verify-task.sh'. While intended for task automation and verification, this provides a mechanism for automatic code execution during agent orchestration turns.
[Indirect Prompt Injection] (LOW): The orchestration pattern relies on a 'Lead' agent writing instructions to WORKTREE_TASK.md files which are consumed by 'Worker' agents. 1. Ingestion points: WORKTREE_TASK.md and CONTRACT.md. 2. Boundary markers: Absent. 3. Capability inventory: Sub-agents are spawned with high privileges (skip-permissions) and can execute shell commands and modify files. 4. Sanitization: Absent. This introduces a vulnerability where malicious data from one task can compromise a sub-agent.
[External Dependencies] (LOW): The skill relies on external scripts from a sibling 'worktree-manager-skill' (e.g., launch-agent.sh) for infrastructure tasks like creating worktrees and launching terminals. This creates a dependency on unverified local scripts located in the user's skill directory.

agent-teams