The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is vulnerable to JQ injection in Stages 2, 7, and 8. The variable task_number is interpolated directly into JQ filter strings (select(.project_number == '$task_number')) within a Bash shell command. An attacker could provide a malicious string for task_number to escape the intended filter and execute arbitrary JQ logic, allowing them to modify or corrupt any part of the state.json file.
[PROMPT_INJECTION]: The skill accepts a focus_prompt input and passes it directly to a subagent without sanitization or boundary markers. This allows for indirect prompt injection where a malicious focus prompt could override the research agent's behavior or safety constraints.
[COMMAND_EXECUTION]: In Stage 9, the skill executes git add -A followed by a commit. This automatically stages and commits all changes in the repository. If a malicious subagent or process has written unauthorized files to the workspace, this skill will silently persist those changes into the Git history without explicit user review.

skill-researcher