The Agent Skills Directory

[COMMAND_EXECUTION]: Shell command injection vulnerability in Step 4. User-provided content from the validation request is directly interpolated into a bash command string: ${HOME}/.claude-octopus/plugin/scripts/orchestrate.sh deliver "<user's validation request>". If the input contains shell metacharacters like backticks, semicolons, or double quotes, it can lead to arbitrary command execution on the host system.
[COMMAND_EXECUTION]: The skill mandates the execution of multiple local scripts (e.g., octo-state.sh, check-providers.sh, state-manager.sh, orchestrate.sh) located in the hidden ${HOME}/.claude-octopus/ directory, relying on an external installation with high-privilege access to the user's home folder.
[DATA_EXFILTRATION]: The workflow automatically extracts content from local validation result files and posts it to external GitHub Pull Requests using the gh CLI tool, which transmits local project information to an external service.
[PROMPT_INJECTION]: The skill exhibits a significant attack surface for indirect prompt injection (Category 8):
Ingestion points: Processes untrusted data from .octo/STATE.md, direct user prompts, and generated validation files in ~/.claude-octopus/results/.
Boundary markers: No boundary markers, XML-style tags, or instructions to ignore embedded commands are used when passing untrusted data to shell scripts or external AI providers.
Capability inventory: Possesses high-privilege capabilities including full shell access, file system reading/writing, and network communication via the GitHub CLI.
Sanitization: No input validation or sanitization is performed on user-supplied strings or file content before they are interpolated into commands or processed.

flow-deliver