The Agent Skills Directory

[COMMAND_EXECUTION]: The skill makes extensive use of shell commands for repository management, environment setup, and file operations. This includes complex commands to determine the repository root and read configuration files during the initialization phase.
[REMOTE_CODE_EXECUTION]: The skill implements a delegation mode using the Codex CLI (codex exec) to implement code. This includes a "yolo mode" that uses the --dangerously-bypass-approvals-and-sandbox flag, allowing the external model to execute arbitrary code with full system and network access. While this is gated by a user consent flow, it represents a significant security risk for AI-generated code execution.
[DYNAMIC_CONTEXT_INJECTION]: The skill uses the ! syntax in SKILL.md to execute shell commands at load time. Specifically, it runs git rev-parse and cat to locate and read a local configuration file. It also uses this syntax in reference files to check for the availability of the codex CLI.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests untrusted data from plan documents and bare prompts (ingestion point: SKILL.md via <input_document>), which are then interpolated into a highly capable execution context (Codex with sandbox bypass). While XML delimiters are used as boundary markers in references/codex-delegation-workflow.md, the lack of explicit sanitization for the interpolated plan content allows a malicious plan to potentially influence the code implementation and execution stages.

ce-work-beta