The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to automatically extract launch commands from project files such as README.md or PROMPT.md and use them "verbatim" (SKILL.md, Step 2). This allows for arbitrary command execution if the repository content is malicious or untrusted.
[PROMPT_INJECTION]: The supervisor design is inherently vulnerable to indirect prompt injection (Category 8) as it is instructed to monitor and "absorb" state from files generated by an inner-loop agent.
Ingestion points: run-log.md, loop-state.md, backlog.md, and PROMPT.md files located within project directories.
Boundary markers: Absent; the instructions rely on standard Markdown formatting without providing clear delimiters or warnings to ignore instructions embedded within the monitored data.
Capability inventory: The supervisor has powerful tool access, including control over tmux sessions (sending keys and interrupts), Git operations (committing changes and reverting files), and broad file system write access.
Sanitization: Absent; there is no logic described to validate or sanitize the content read from logs and state files before the supervisor agent processes them.
[COMMAND_EXECUTION]: The "autonomous" authority stance recommended in the reference material (references/authority-stances.md) allows the agent to modify any file and commit code to unblock progress. This high-privilege capability, when combined with the ingestion of untrusted log data, increases the risk of the agent being tricked into performing harmful modifications.

loop-supervisor