The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): High risk of Indirect Prompt Injection. The skill's core purpose is to read and analyze untrusted external data, including code, README files, and PR descriptions (SKILL.md). There are no boundary markers or sanitization protocols to prevent malicious instructions within that data from influencing the agent's reasoning or recommendations to other agents.
[COMMAND_EXECUTION] (HIGH): Potential shell command injection in lifecycle hooks. The 'pre' hook in SKILL.md interpolates the '$TASK' variable directly into a shell-like command string. If the underlying execution platform processes this via a system shell, an attacker can provide a task name containing metacharacters (e.g., semicolons or backticks) to execute arbitrary code on the host system.
[DATA_EXFILTRATION] (LOW): The skill aggregates potentially sensitive information from codebases into shared memory via MCP tools ('mcp__claude-flow__memory_usage'). While this is a functional requirement for research, it creates a mechanism for sensitive data discovered during automated scanning to be moved to broader coordination contexts without explicit filtering.

agent-researcher