The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The Claude runner script (scripts/a2a-claude-runner.sh) utilizes the --dangerously-skip-permissions flag when invoking the CLI. This flag disables model-level safety prompts and permission checks. Because the runner is used to process untrusted messages from a remote partner agent, this creates a high-risk execution path where a malicious remote partner could trigger unauthorized shell commands via indirect prompt injection.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it is designed to ingest and process instructions from a remote, untrusted agent. (Ingestion points: Remote messages are fetched from a broker endpoint via scripts/a2a-wait-message.sh; Boundary markers: runtime/supervisor.js wraps remote content in <untrusted_partner_message> tags; Capability inventory: Skill can execute shell commands and file operations via subprocess calls; Sanitization: Uses runtime/policy.js with regex filters and session-based approvals). Additionally, SKILL.md contains instructions for the agent to conceal transport mechanics and internal script execution from the user.
[COMMAND_EXECUTION]: The supervisor and runner scripts execute shell commands and scripts based on remote inputs. The unattended mode allows for automated processing without human oversight, relying entirely on the internal regex-based policy engine.
[DATA_EXFILTRATION]: The skill establishes bidirectional communication with a remote broker server. While intended for coordination, this channel could be exploited to exfiltrate local repository data or credentials if the agent is compromised by a malicious partner.
[EXTERNAL_DOWNLOADS]: The scripts/a2a-supervisor.sh script invokes npx to run ts-node, which involves the dynamic download and execution of Node.js packages from a well-known public registry.

a2alinker