The Agent Skills Directory

[COMMAND_EXECUTION]: The skill attempts to execute a local Python script scripts/deferred_capture.py in modules/deferred-capture.md. Since this script is not provided within the skill's file list, its functionality cannot be verified, posing a risk of arbitrary code execution.
[COMMAND_EXECUTION]: In modules/expert-roles.md, the skill invokes the claude-glm tool with the --dangerously-skip-permissions flag. This instruction explicitly bypasses standard security prompts and permission checks, allowing the external model to perform actions without user oversight.
[DATA_EXFILTRATION]: The modules/discussion-publishing.md module is designed to automatically export deliberation summaries, including 'Intelligence Reports' and 'COA Summaries', to GitHub Discussions via the gh CLI. If the user provides sensitive files to the session (e.g., via the --files argument), these summaries may inadvertently leak proprietary code or confidential project data to an external platform.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection through two primary vectors:
Ingestion Points: It reads user-specified files from the local filesystem and fetches prior decision data from GitHub Discussions during the 'Prior Decision Check' phase in modules/discussion-publishing.md.
Capability Inventory: The agent has the ability to execute shell commands (python3, gh, tmux) and delegate tasks to multiple external LLM providers.
Boundary Markers: While the deliberation protocol includes a 'Red Team' review, there are no explicit delimiters or sanitization routines mentioned to prevent malicious instructions within ingested files from influencing the 'experts' or the final decision synthesis.
[COMMAND_EXECUTION]: The skill uses tmux split-window to dynamically spawn multiple agent teammates when the --agent-teams mode is active. This involves complex shell-level coordination that could be exploited if session IDs or other parameters are manipulated.

war-room