The Agent Skills Directory

[COMMAND_EXECUTION]: Critical shell command injection vulnerability in scripts/run-session.sh and scripts/setup-loop.sh. Input variables such as $task_desc and $task_name are interpolated into claude -p shell commands and unquoted heredocs. Malicious input containing characters like \", ;, or ` can terminate the intended command and execute arbitrary shell commands on the user's machine.
[COMMAND_EXECUTION]: The skill defaults to bypassPermissions mode for the Claude Code CLI in scripts/run-session.sh, enabling the agent to perform all actions—including file system modifications and deletions—without user approval. This high-privilege configuration contradicts the SKILL.md documentation, which incorrectly lists the default as auto (user-prompted).
[PROMPT_INJECTION]: High risk of indirect prompt injection. Ingestion points: {TASK_DIR}/task_list.md, {TASK_DIR}/progress.md, and various project files (as specified in templates/executor-prompt.md). Boundary markers: Absent; there are no instructions or delimiters designed to isolate and ignore malicious commands within processed data. Capability inventory: Full system access across multiple sessions using the claude CLI with bypassPermissions enabled. Sanitization: Absent; the agent is explicitly instructed to 'trust the order' of tasks and the state found in tracking files.
[COMMAND_EXECUTION]: The script scripts/run-session.sh intentionally unsets the CLAUDECODE environment variable to permit nested agent execution. This bypasses the CLI's standard safety mechanism designed to prevent uncontrolled recursion and unauthorized sub-sessions.

autonomous-skill