The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is vulnerable to shell command injection in several roles. In roles/explorer/role.md, roles/analyst/role.md, and roles/discussant/role.md, the skill uses the Bash tool to execute ccw cli commands. These commands are constructed by interpolating user-controlled variables, such as and , directly into double-quoted command arguments. An attacker can provide input containing shell metacharacters (e.g., " & touch /tmp/pwned #) to escape the quotes and execute arbitrary commands on the host system.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its multi-agent orchestration pattern. The coordinator role in roles/coordinator/commands/dispatch.md and roles/coordinator/commands/monitor.md interpolates raw user input (the analysis topic) into task descriptions and the prompts used to spawn subagents (team-worker). 1. Ingestion points: User-provided strings for the analysis topic and feedback enter the system via the coordinator's arguments and interactive questions. 2. Boundary markers: None. User input is embedded directly into directives without delimiters or instructions to ignore nested commands. 3. Capability inventory: Subagents have broad capabilities including file system access (Read, Write, Edit) and shell execution (Bash). 4. Sanitization: None. The skill does not escape, validate, or filter the user-supplied content before it is passed to subagents or used in shell commands.

team-ultra-analyze