The Agent Skills Directory

[COMMAND_EXECUTION]: The skill dynamically generates and executes several shell scripts (run-loop.sh, bootstrap.sh, verify.sh, recover.sh, notify.sh) and assigns execution permissions using chmod +x (e.g., bootstrap.sh at Line 546).
[COMMAND_EXECUTION]: The main runner run-loop.sh executes the EXEC_CMD environment variable (Line 185), which is intended to be configured with high-autonomy AI tools using flags that bypass human confirmation, such as 'claude --dangerously-skip-permissions' or 'gemini --yolo' as defined in references/executor-engines.md.
[COMMAND_EXECUTION]: The verify.sh template (Line 549) is designed to run arbitrary shell commands defined in the goal.md file's acceptance criteria, which represents an unvalidated command execution path.
[COMMAND_EXECUTION]: The skill performs automated Git repository management, including branch creation, squashing commits, and deleting branches, which can lead to data loss or unintended repository states if manipulated.
[EXTERNAL_DOWNLOADS]: The notify.sh script (Line 615) utilizes edge-tts, an external utility for speech synthesis, which typically interacts with remote Microsoft services to generate and play audio.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its ingestion of goal.md (Line 509). Ingestion points: goal.md file content. Boundary markers: Markdown headers like '## Objective' are used to delimit sections, but these do not prevent an attacker from including instructions in the goal description. Capability inventory: Host shell execution via generated scripts, Git operations, and high-privilege AI tool execution. Sanitization: No sanitization or escaping of input is performed before interpolating goal content into shell scripts or LLM prompts.

orbit