The Agent Skills Directory

[COMMAND_EXECUTION]: The agent-prompt-template.md file defines a shell command bash {SCRIPT_PATH} "{QUESTION}" that is executed by a subagent. The {QUESTION} placeholder is populated with user-supplied input or context from local files. Because the input is wrapped in double quotes in a shell environment without escaping, an attacker can use shell metacharacters (e.g., "; <malicious_command>; ") to break out of the intended command and execute arbitrary code.
[PROMPT_INJECTION]: The skill ingests untrusted data from multiple sources and processes it using high-privilege shell capabilities, creating a significant indirect prompt injection surface.
Ingestion points: User input and file context are ingested via the {QUESTION} placeholder in SKILL.md. External provider responses are ingested and evaluated by the subagent in Round 2 of the process defined in agent-prompt-template.md.
Boundary markers: No boundary markers, XML tags, or delimiters are used to isolate untrusted content, nor are there instructions to the subagent to disregard instructions within the ingested data.
Capability inventory: The subagent has the capability to execute shell commands via the bash utility as defined in the prompt template.
Sanitization: No sanitization, validation, or escaping of the user-controlled or provider-supplied data is performed before it is interpolated into shell commands or evaluation prompts.

querying-council-with-agents