The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads untrusted data (source files, git diffs, and project specifications) and interpolates them directly into the context packet sent to subagents.
Ingestion points: As described in references/packet-format.md, the council_packet inlines the actual content of project files and git diffs.
Boundary markers: The subagent prompts in references/agent-prompts.md use JSON code blocks and markdown headers to delineate instructions, which provides some structural separation but does not prevent a motivated attacker from providing malicious instructions within the data.
Capability inventory: The skill can spawn subagents that have access to filesystem tools and the Bash tool, increasing the impact of a successful injection.
Sanitization: No sanitization or escaping of the inlined content is mentioned in the prompts or scripts.
[COMMAND_EXECUTION]: The skill frequently uses the Bash tool to execute external CLI tools and local scripts.
It executes the codex CLI to run parallel judges on the OpenAI platform.
It runs local validation scripts in the scripts/ directory, such as validate-mixed-artifacts.sh, which dynamically generates and executes a Python script to verify JSON outputs against a schema.

council