The Agent Skills Directory

[COMMAND_EXECUTION]: The skill initiates the AI agent using the --dangerously-skip-permissions flag in lib/tmux.sh and as documented in SKILL.md. This flag is specifically designed to bypass core platform security controls, including directory-trust verification and the requirement for explicit user consent before the agent executes tools such as shell commands, file system writes, or network requests. This removes the final human-in-the-loop safety layer.
[PROMPT_INJECTION]: The skill implements a significant indirect prompt injection surface by retrieving data from external providers (GitHub PRs, issues, Jira tickets, etc.) and incorporating this unvalidated content directly into the agent's initialization sequence.
Ingestion points: External data is fetched via provider-specific CLIs and APIs (gh, jira, glab, az, tea, curl) within the lib/providers/ directory.
Boundary markers: Untrusted data is rendered into markdown files using templates (e.g., templates/pr-review.md) and delivered to the agent without protective delimiters or instructions to disregard instructions embedded in the data.
Capability inventory: Because the agent is launched with safety prompts disabled, it possesses full autonomous capability to modify the host system, access the network, and read local files.
Sanitization: Content is populated into templates using simple string substitution in psm_render_template (lib/tmux.sh), providing no filtering for malicious instructions hidden in PR or issue titles.
[COMMAND_EXECUTION]: The skill utilizes dynamic function dispatch in lib/providers/interface.sh to invoke provider-specific logic. Function names are dynamically constructed from variables, representing a runtime execution pattern that relies on the integrity of the provider configuration.

project-session-manager