The Agent Skills Directory

[COMMAND_EXECUTION]: The skill manifest explicitly requests the proc.exec capability. While the defined operations (derive-state, render-feedback, tui) are configured to run the skill's own scripts/cockpit.py, this permission grants the underlying script the ability to spawn arbitrary system processes.
[PROMPT_INJECTION]: The skill functions by ingesting data from multiple sources to derive a shared state, which presents a risk of indirect prompt injection if the ingested data is influenced by an attacker.
Ingestion points: Reads content from note/note_tasks.md, note/note_feedback.md, and database tables including agent_tasks, evolution_nodes, and evolution_rejections.
Boundary markers: The skill documentation does not mention the use of delimiters or specific instructions to the agent to ignore any embedded prompts within the ingested markdown or database content.
Capability inventory: The skill has broad capabilities including filesystem read/write (fs.read, fs.write), database access (db.read), and process execution (proc.exec).
Sanitization: No sanitization, escaping, or schema validation is described for the data ingested from the markdown files before it is processed into the cockpit state object.

skill-system-cockpit