The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The framework explicitly supports and provides examples for agents with unrestricted shell access.
Evidence: In references/patterns.md, the executor.md agent is defined with allowed-tools: [Bash(*)] and permissionMode: allow, granting the agent full system access without user confirmation.
Evidence: In references/examples.md, the deployer.md agent uses Bash(kubectl:*) and Bash(docker:*) with the capability to modify infrastructure.
[PROMPT_INJECTION] (HIGH): The architecture is highly vulnerable to Indirect Prompt Injection (Category 8) due to the combination of untrusted data ingestion and high-privilege capabilities.
Ingestion points: agents/reviewer.md (via git diff) and agents/researcher.md (via WebFetch) in references/examples.md ingest untrusted external data.
Boundary markers: None of the provided examples or syntax references include the use of delimiters or instructions to ignore embedded commands in external data.
Capability inventory: High-risk tools like Bash(*), Write, and Agent (for spawning more agents) are available to components processing this data.
Sanitization: There is no evidence of input validation or sanitization logic in the documentation or the validation script (scripts/validate.py).
[REMOTE_CODE_EXECUTION] (MEDIUM): The framework facilitates the execution of code generated or retrieved from remote sources.
Evidence: skills/container-ops/SKILL.md in references/examples.md includes an embedded Dockerfile template which agents are encouraged to build and run, creating a path for runtime code execution.
[DYNAMIC_EXECUTION] (MEDIUM): The scripts/generate.py script uses string templates to create executable markdown configurations. While the script itself is a local utility, it demonstrates a pattern of generating operational logic from templates which could be manipulated if input sources are not controlled.

component