The Agent Skills Directory

[PROMPT_INJECTION]: The skill uses imperative and high-pressure language such as 'MANDATORY', 'NON-NEGOTIABLE', and 'CRITICAL' to enforce a protocol that overrides the agent's standard conversational behavior. It specifically commands the agent to suppress detailed responses and return only a status code '0', which can hide the agent's actual activities from the user.- [COMMAND_EXECUTION]: The PreToolUse hook implements a complex shell command that performs directory traversal to find an '.agentic-config.json' file and then executes a Python script from a path resolved at runtime. This dynamic execution of scripts from computed paths is a significant risk factor as the execution target can be influenced by the filesystem state.- [COMMAND_EXECUTION]: The protocol requires the agent to execute a local script (signal.py) via the 'uv' runner. This involves running code that is external to the skill's defined logic, relying on the presence and integrity of files in the local environment.- [PROMPT_INJECTION]: The orchestration pattern creates a surface for indirect prompt injection. The orchestrator agent is instructed to trust and act upon the 'Executive Summary' and 'Next Steps' sections of reports produced by subagents, which may process untrusted external data. Evidence Chain: 1. Ingestion point: Subagent reports containing task findings and results. 2. Boundary markers: No delimiters or warnings are defined for the summarized content. 3. Capability inventory: Orchestrator agent utilizes summary tools to read and make routing decisions based on report content. 4. Sanitization: No sanitization or validation of the report contents is mentioned.

mux-subagent