The Agent Skills Directory

[COMMAND_EXECUTION]: The skill includes multiple shell scripts (e.g., afk-nodock-codex.sh, once-codex.sh) that use the --dangerously-bypass-approvals-and-sandbox flag or specify the danger-full-access sandbox when executing the Codex CLI. This explicitly bypasses security controls designed to prevent unauthorized file system access and code execution during AI-driven tasks.
[REMOTE_CODE_EXECUTION]: The SKILL.md instructions require the agent to use npx ctx7@latest for documentation lookups. This pattern downloads and executes a package from the public NPM registry at runtime without version pinning, creating a supply chain risk where the tool could be compromised or replaced with malicious code.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from the repository's issue queue and processes it as instructions.
Ingestion points: The shell scripts (afk.sh, once.sh, etc.) read all markdown files from docs/issues/ and concatenate them into a temporary prompt file.
Boundary markers: The prompt construction uses simple string concatenation (Previous commits: $commits Issues: $issues $prompt) without structural delimiters or specific instructions to the model to ignore embedded commands within the issue files.
Capability inventory: The agent is granted the ability to execute shell commands (e.g., dotnet build, dotnet test), modify the local filesystem, and perform git commits.
Sanitization: No sanitization or validation is performed on the content of the issue files before they are interpolated into the prompt and executed by the model.

ralph