The Agent Skills Directory

[COMMAND_EXECUTION]: The launch.sh script generates an orchestrator.sh script that executes a sub-agent (claude, codex, or pi) using bash -c. This sub-agent is granted significant autonomy to manage a project codebase.- [REMOTE_CODE_EXECUTION]: The orchestrator instructs the sub-agent to execute an arbitrary eval_command provided in the fleet.json configuration file. When using the Claude provider, the sub-agent is launched with the --dangerously-skip-permissions flag, which bypasses the user confirmation requirement for tool usage. This allows the agent to execute shell commands and modify files silently.- [PROMPT_INJECTION]: The skill uses "NEVER STOP" and "LOOP FOREVER" directives in its core instructions (program.md) and the generated orchestrator prompt. These instructions are intended to override default AI behavior regarding task completion and safety-related termination.- [INDIRECT_PROMPT_INJECTION]: The autonomous loop creates an indirect prompt injection surface by having the agent read its own history from results.tsv at the start of every iteration. Because the agent also writes experiment descriptions to this file, an attacker who can influence the code being optimized or its output could inject instructions that the agent would follow in subsequent iterations.
Ingestion points: The results.tsv file is read by the agent in each iteration (referenced in orchestrator.sh and program.md).
Boundary markers: Absent. The agent is instructed to read the file for context on prior experiments without any delimiters or "ignore instructions" warnings.
Capability inventory: The spawned sub-agent has access to Bash, Edit, Write, and WebSearch tools (as defined in lib/worker-spawn.sh and lib/tools.sh), and is explicitly given permission to use them without user confirmation.
Sanitization: Absent. Data from the experiment log is incorporated directly into the agent's context in every loop.

autoresearch-fleet