The Agent Skills Directory

[PROMPT_INJECTION]: The skill is inherently designed to process untrusted user input (task descriptions) and decompose it into instructions for multiple sub-agents. This creates a surface for indirect prompt injection where a malicious task could influence the generated role-specs to perform unauthorized actions.
Ingestion points: The user-supplied task description is received as $ARGUMENTS in SKILL.md and processed by the analyze-task.md command.
Boundary markers: The skill uses structured markdown templates and specific headers (e.g., ## Role Assignment) to separate system-provided instructions from user-derived goals in the generated role-specs.
Capability inventory: The skill has access to powerful tools across all scripts, including Agent (for spawning sub-agents), Bash (for command execution), Write/Edit (for file modification), and mcp__ccw-tools__team_msg (for inter-agent communication).
Sanitization: The analyze-task.md logic performs keyword mapping and role minimization but lacks explicit sanitization or validation of the user's task description before it is interpolated into the generated role-spec files.
[REMOTE_CODE_EXECUTION]: The skill's core mechanism involves using the Agent() tool to spawn background team-worker agents. These agents are configured with dynamically generated instruction sets (role-specs) created at runtime, which constitutes the execution of instructions generated from untrusted input.
[COMMAND_EXECUTION]: The coordinator role and its sub-commands (e.g., monitor.md, dispatch.md) execute complex shell-like logic and use the Bash tool (e.g., pwd) to manage session state and coordinate agent activities.
[DYNAMIC_EXECUTION]: The skill generates role-specific instruction files in the .workflow/.team/<session-id>/role-specs/ directory at runtime. These files are then dynamically loaded and interpreted by the team-worker agents, representing dynamic loading of instructions from computed paths.

team-coordinate