The Agent Skills Directory

[PROMPT_INJECTION]: The skill documentation and command surface (specifically the --inject flags for superagent orchestration check and superagent orchestration dispatch) explicitly facilitate "agent prompt injection." This creates a significant surface for indirect prompt injection attacks where untrusted content from one agent or an external message can influence or override the instructions of a recipient agent.\n
Ingestion points: Untrusted data enters the agent context via superagent orchestration check and superagent orchestration dispatch (SKILL.md).\n
Boundary markers: The skill lacks security boundaries to isolate injected content; banners like [HIGH] or [URGENT] are used for priority signaling rather than instruction delimitation.\n
Capability inventory: The agents have full shell access and terminal management capabilities through superagent terminal commands.\n
Sanitization: No evidence of content sanitization or validation is present in the orchestration workflow.\n- [COMMAND_EXECUTION]: The skill provides powerful terminal management tools, such as superagent terminal create (which executes arbitrary commands via the --command flag) and superagent terminal send. These tools allow an agent to execute code across multiple environments, which could be abused if an agent is compromised by malicious input.\n- [DATA_EXFILTRATION]: The inter-agent messaging system and the ability to read terminal output (superagent terminal read) provide potential pathways for data exfiltration or unauthorized data movement between worktrees if a coordinator or worker agent is misled by injected instructions.\n- [PROMPT_INJECTION]: The superagent orchestration send command features a --from parameter that allows for terminal impersonation. This enables an agent to forge messages as if they originated from a different terminal, potentially bypassing trust expectations in automated workflows.

orchestration