The Agent Skills Directory

[COMMAND_EXECUTION]: The skill makes extensive use of the evo CLI to manage the optimization lifecycle. It specifically instructs the agent to use evo gate add, which allows for the definition and execution of arbitrary shell commands as validation gates (e.g., evo gate add <exp_id> --name "name" --command "<command>"). While this is a core feature of the protocol, it provides a mechanism for the agent to execute arbitrary logic on the host system.
[REMOTE_CODE_EXECUTION]: The central purpose of the skill is the autonomous generation and execution of code. The agent is instructed to "formulate the edit", apply it to the target worktree, and then use evo run <exp_id> to execute the modified code. This functionality creates a significant attack surface if the agent is influenced to perform destructive or malicious code changes.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. The protocol requires the subagent to read "pointer traces", "annotations" from other agents, and "scratchpad" summaries to inform its decisions. These data sources could be poisoned with malicious instructions designed to override the agent's logic or guide it toward harmful code modifications (e.g., an annotation suggesting a "fix" that actually installs a backdoor).
Ingestion points: The agent reads content via evo traces, evo scratchpad, and experiments/<id>/attempts/NNN/outcome.json.
Boundary markers: No explicit delimiters or instructions are provided to the agent to treat external traces or annotations as untrusted data.
Capability inventory: The agent has the ability to read/write files in the worktree, execute code via evo run, and define shell commands via evo gate add.
Sanitization: There is no evidence of sanitization or validation of the content retrieved from traces or annotations before it influences the agent's hypothesis formation.

subagent