The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests role definitions and task instructions from an external, potentially untrusted session directory.
Ingestion points: The skill reads team-session.json, task-analysis.json, and all markdown files within the role-specs/ directory of the path provided to the --session argument.
Boundary markers: Absent. The skill uses simple string interpolation to inject file content directly into sub-agent prompts.
Capability inventory: The orchestration role and its spawned workers have access to powerful tools including Bash(*), Agent(*), Write(*), and Edit(*).
Sanitization: The skill performs structural validation (e.g., checking for file existence and JSON parsing) but does not validate or filter the safety of the natural language instructions contained within the session files.
[COMMAND_EXECUTION]: The skill uses the Bash tool for operational tasks and orchestrates sub-agents that possess similar capabilities. A maliciously crafted session folder could contain instructions that trick the agent into executing harmful shell commands on the host system.

team-executor