The Agent Skills Directory

Command Injection (MEDIUM): In Step 3, the variable $USER_TASK_DESCRIPTION is interpolated directly into the 'claude' command line. A malicious task description containing double quotes could be used to inject additional CLI arguments, potentially overriding safety settings or max turn limits.
Indirect Prompt Injection (LOW): The skill processes task instructions from local Markdown files and interpolates them into agent prompts. 1. Ingestion points: .autonomous/task_list.md and progress.md. 2. Boundary markers: None; contents are directly concatenated. 3. Capability inventory: Filesystem access (cat, ls, find) and 'claude' CLI execution. 4. Sanitization: None.
Dynamic Execution (LOW): The skill implements an autonomous 'while true' loop (Step 4) that executes commands repeatedly. This recursive behavior can lead to uncontrolled resource consumption if the termination conditions are subverted.

autonomous-skill