The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to spawn nested sub-instances of the agent using the --dangerously-skip-permissions flag, specifically in the references/nested-fanout.md file. This is a significant privilege escalation risk as it bypasses the platform's security prompts, allowing sub-agents to execute potentially dangerous tools without explicit user confirmation.
[COMMAND_EXECUTION]: The instructions make extensive use of the bash tool to perform system-level tasks, including directory management (mkdir), running TypeScript scripts via the bun runtime, and executing network operations with curl.
[REMOTE_CODE_EXECUTION]: The skill implements functionality to clone and pull from external Git repositories to a local directory (~/.claude/oss-repos/) for analysis. Performing research on untrusted codebases involves executing commands on the content, which poses a risk of code execution if the repository is malicious.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to its core design of ingesting data from untrusted web sources and external repositories into the agent's context.
Ingestion points: Data enters the system via WebFetch, WebSearch, and git clone as described in references/web-search-guidance.md and references/source-code-research.md.
Boundary markers: The skill relies on Markdown formatting (code blocks) to separate evidence snippets, which does not prevent the model from interpreting instructions embedded in the ingested data.
Capability inventory: The agent possesses powerful capabilities including file writing, network access, and the ability to spawn autonomous sub-processes.
Sanitization: No formal sanitization or validation of the retrieved external content is performed before it is processed or written to report files.

research