The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The tool fork_terminal.py is designed to execute arbitrary shell commands provided by the agent. Files like cookbook/cli-command.md encourage using this for any arbitrary command, creating a significant security risk if the agent is manipulated. Additionally, the skill consistently promotes the use of flags like --dangerously-skip-permissions and --dangerously-bypass-approvals-and-sandbox which are designed to bypass standard safety confirmations and sandboxing, effectively granting the spawned agents full autonomous control over the host system.- REMOTE_CODE_EXECUTION (HIGH): The skill depends on multiple external Python scripts (spawn_session.py, tournament.py, tournament_review.py) that are not included in the provided file list. These are executed via python3 using the ${CLAUDE_PLUGIN_ROOT} environment variable, making their logic unverifiable and potentially dangerous.- PROMPT_INJECTION (LOW): Task templates in prompts/tournament_task.md and prompts/worktree_task.md interpolate user-provided ${TASK_DESCRIPTION} directly into instructions for spawned agents. This lacks sanitization or boundary markers, allowing potential indirect prompt injection attacks where a user-provided task could hijack the sub-agent's behavior. Evidence Chain: 1. Ingestion points: TASK.md created from templates. 2. Boundary markers: None used. 3. Capability inventory: Full shell access via fork_terminal.py and referenced scripts. 4. Sanitization: None observed.

fork-terminal