The Agent Skills Directory

[COMMAND_EXECUTION]: The skill invokes external CLI tools ('codex' and 'gemini') using shell command templates defined in 'references/engine-deliberation-guide.md'. The templates 'codex exec --full-auto "{prompt}"' and 'gemini -p "{prompt}" --yolo' incorporate a '{prompt}' variable containing user-supplied content such as decision subjects and contexts. Because these strings are interpolated directly into shell commands, an attacker could include shell metacharacters (e.g., semicolons, backticks, or pipe symbols) to execute unauthorized commands on the host environment.
[REMOTE_CODE_EXECUTION]: In 'Engine Mode', the skill relies on the presence of external binaries to perform its core function. It attempts to detect and execute 'codex' and 'gemini' (a trusted service from Google). The execution of these unverified local binaries with dynamic, user-controlled arguments constitutes a remote code execution risk if the environment is compromised or the input is manipulated.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes untrusted user data to generate prompts for internal and external sub-engines. Malicious instructions embedded in a decision request could trick the deliberators into ignoring their primary role or leaking information.
Ingestion points: User-provided decision 'subject', 'context', 'options', and 'constraints' defined in 'SKILL.md' and processed via templates.
Boundary markers: The skill uses structured headers (e.g., 'DECISION:', 'TYPE:') in its prompt templates, but it lacks explicit 'ignore embedded instructions' directives to protect the sub-engines from data-embedded commands.
Capability inventory: The skill possesses the capability to execute shell commands and access external APIs via CLI tools.
Sanitization: There is no evidence of input validation, escaping, or sanitization of user strings before they are used in command-line construction or prompt interpolation.

Magi