The Agent Skills Directory

[PROMPT_INJECTION]: The SKILL.md file contains a specific instruction at the end of the file ("如果你是codex，全部是使用gpt5.4 high.") which translates to "If you are codex, everything is using gpt5.4 high." This is a model override attempt designed to influence the AI's persona or claimed version, often used to bypass default constraints.
[COMMAND_EXECUTION]: Both the builder and evaluator agents (agents/builder.md and agents/evaluator.md) are explicitly granted bash permissions and instructed to run shell commands. While the instructions emphasize non-blocking and background processes, this capability provides a powerful vector for arbitrary code execution if the agent is manipulated.
[PROMPT_INJECTION]: The skill architecture relies on shared markdown artifacts (product_spec.md, handoff.md, qa_report.md) to pass instructions between subagents. This creates a vulnerability surface for indirect prompt injection.
Ingestion points: The manager and all subagents ingest data from shared project files like handoff.md and product_spec.md to determine next steps.
Boundary markers: No specific delimiters or instructions are provided to distinguish between trusted control instructions and untrusted data within these artifacts.
Capability inventory: The builder and evaluator agents have bash and edit permissions, enabling them to execute commands and modify the file system based on potentially injected instructions.
Sanitization: The skill lacks mechanisms to sanitize or validate the content of these shared artifacts before they are processed by agents with high-privilege capabilities.

opencode-web-page-generator