The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides tools to execute arbitrary shell commands on the host via the shell runtime. These commands are executed in detached tmux sessions, allowing for long-running background processes that are not immediately visible in the primary terminal interface.
[REMOTE_CODE_EXECUTION]: The shell runtime and harnesses feature execute user-supplied strings directly using bash -lc and eval. The skill documentation for SKILL.md and references/safety-rules.md explicitly states there is no sandboxing or isolation for these inputs, making the system vulnerable to executing malicious code if it processes instructions from untrusted sources.
[EXTERNAL_DOWNLOADS]: The skill depends on several external agent CLIs (claude, codex, pi) that must be pre-installed on the host. These tools facilitate remote interactions with AI providers and are executed as sub-processes by this skill.
[COMMAND_EXECUTION]: The spawn_agent tool acts as a vulnerability surface for indirect prompt injection as defined in Category 8. It ingests a prompt string without boundary markers or sanitization and has the capability to perform unrestricted file system and shell operations through its various runtimes.
[REMOTE_CODE_EXECUTION]: According to references/runtime-contract.md, the execution process involves writing a launcher script to the host's filesystem at $ADM_STATE_DIR/launchers/ and then executing it. This dynamic script generation and execution pattern increases the risk of local command injection or modification of the execution flow.

agent-delegation