The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructions in SKILL.md explicitly direct the agent to execute shell commands with high-risk flags: node .claude/skills/omega-cursor-cli/scripts/ask-cursor.mjs "$PROMPT" --yolo --trust. The --yolo and --trust flags are known to disable human-in-the-loop confirmations for AI-driven actions, allowing the model to perform potentially destructive file modifications or command executions without oversight.
[PROMPT_INJECTION]: The skill's deliberation protocol creates a surface for indirect prompt injection by design.
Ingestion points: The raw user-supplied $PROMPT is passed to multiple models, and the resulting outputs are then used as input for 'Peer Review' and 'Chairman' agents.
Boundary markers: There are no delimiters or boundary markers (such as XML tags or explicit 'ignore instructions' prefixes) used when interpolating model responses into subsequent stages.
Capability inventory: The skill utilizes Bash, Read, and Write tools, performs file system operations in .claude/context/tmp/, and optionally executes git worktree commands to modify code repositories.
Sanitization: No validation, sanitization, or escaping is performed on the data flowing between the different models, allowing a single malicious or manipulated model output to compromise the entire council deliberation process.

llm-council