The Agent Skills Directory

[COMMAND_EXECUTION]: The skill documentation and reference files include instructions for executing shell commands and scripts. For example, references/context-windowing.md lists several Python scripts (scripts/rpi/generate-context-shards.py, run-shard.py, init-shard-progress.py) meant to be executed during the workflow. Reference references/installed-plugin-version-not-repo-head.md provides a shell snippet using find and rm -rf to prune directories in the user's home directory (~/.claude/plugins/cache/).
[COMMAND_EXECUTION]: The file references/codex-executor.md specifies a hardcoded binary path (/Users/bo/go/bin/ao) and instructs the agent to use it for execution. Hardcoding user-specific paths can lead to execution failures or unexpected behavior on different systems.
[PROMPT_INJECTION]: The skill contains strong directives that override standard human-in-the-loop safety patterns. In references/autonomous-execution.md, the agent is instructed to be 'Fully Autonomous by Default' and explicitly told 'Do NOT: Ask the user for confirmation between phases' and 'Do NOT ask "want me to commit?" or "should I continue?"'. These instructions effectively remove user oversight from the autonomous loop.
[DATA_EXPOSURE]: The skill references and operates on sensitive local directories, specifically the platform's plugin cache (~/.claude/plugins/cache/), to diagnose and fix versioning drifts. While intended for maintenance, access to such paths constitutes local data exposure.
[DATA_EXPOSURE]: The orchestrator manages an 'execution packet' (.agents/rpi/execution-packet.json) that aggregates data from various phases. This data is interpolated into subsequent tool calls, creating an attack surface for indirect prompt injection if the ingested data (like goals or findings from the filesystem) contains malicious instructions.

rpi