The Agent Skills Directory

[COMMAND_EXECUTION]: The skill performs shell command interpolation of user-provided input when invoking the ccw cli tool in Phase 1. The requirement variable, derived directly from the user's input arguments, is inserted into a Bash command string without escaping shell metacharacters such as semicolons, backticks, or pipes. This vulnerability allows an attacker to execute arbitrary shell commands on the host system.
[PROMPT_INJECTION]: The skill design introduces a significant indirect prompt injection attack surface. It decomposes high-level user requirements into granular task descriptions, test cases, and 'execution directives' that are then executed by autonomous sub-agents via spawn_agents_on_csv. A malicious user could craft a requirement that results in the generation of tasks containing instructions to exfiltrate sensitive data, modify critical files, or execute unauthorized commands.
Ingestion points: User-provided requirement string in $ARGUMENTS.
Boundary markers: The system lacks explicit delimiters or instructions for sub-agents to ignore potentially malicious embedded content in task fields.
Capability inventory: Sub-agents are granted broad capabilities across all waves, including Bash, Read, Write, and spawn_agents_on_csv.
Sanitization: There is no validation, escaping, or sanitization of the decomposed task content before it is interpolated into sub-agent prompts.

csv-wave-pipeline