The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructions provide a template for executing a local Python script using shell-interpolated JSON strings derived from task metadata.
Evidence: python3 scripts/check-scope-overlap.py --tasks '[ {"id": "task-1", "scope": [...], "readonly": false} ]' in Phase 1, Step 3.
Risk: If task IDs, file paths, or directory names contain shell-sensitive characters like single quotes, backticks, or semicolons, it can lead to arbitrary command execution in the environment running the orchestrator.
[PROMPT_INJECTION]: The skill facilitates indirect prompt injection by ingesting untrusted problem descriptions and interpolating them into downstream agent prompts.
Ingestion points: Task descriptions, subsystem context, and error summaries extracted from the repository or user input (Phase 1, Step 1).
Capability inventory: The agent possesses extensive capabilities including Bash execution, git manipulation, and executing local Python scripts.
Boundary markers: The skill uses a structured markdown template for agent prompts but lacks explicit boundary markers or instructions for the sub-agent to ignore instructions embedded within the provided context.
Sanitization: There is no evidence of sanitization, escaping, or validation of the external content before it is interpolated into shell commands or sub-agent prompts.
[COMMAND_EXECUTION]: The integration phase involves automated git cherry-pick and git branch -d operations based on agent-reported branch names.
Evidence: Phase 3, Step 1 describes identifying and cherry-picking from 'rogue' branches.
Risk: If a sub-agent is compromised via indirect prompt injection, it could provide a malicious branch name designed to manipulate the orchestrator's git commands.

dispatching-parallel-agents