The Agent Skills Directory

[COMMAND_EXECUTION]: The script '_shared/tools/dependency-utils.sh' contains the 'maw_install_system_package' function which uses 'sudo apt-get install -y' to install system dependencies if they are missing. The use of 'sudo' to acquire administrative privileges is a significant security risk.
[PROMPT_INJECTION]: The orchestrator architecture is vulnerable to indirect prompt injection. In '_cli/cli/orchestrator/stage_runner.py', the system reads reports from sub-agents that include data retrieved via 'WebFetch' and 'WebSearch'. The synthesis prompts in '_cli/cli/prompts/research.py' do not use isolation markers or sanitization, potentially allowing malicious content from websites to influence the agent's logic.
[COMMAND_EXECUTION]: The sub-agent configuration in '_cli/cli/orchestrator/agent_caller.py' allows the use of the 'Bash' tool for arbitrary shell command execution. When coupled with the indirect prompt injection risk from external web data, this provides a mechanism for remote attackers to execute commands on the local system.
[REMOTE_CODE_EXECUTION]: The framework performs automatic installation of Python dependencies ('typer', 'rich', 'pydantic', 'PyYAML') at runtime via 'pip install' as seen in '_cli/cli/dependencies.py'. While these are standard packages, automated runtime installation is a risky dependency management pattern.
[REMOTE_CODE_EXECUTION]: The orchestration module '_cli/cli/dependencies.py' utilizes 'importlib.import_module' for dynamic loading of Python components, which can be an entry point for execution of untrusted code if module names are manipulated.

status