The Agent Skills Directory

[COMMAND_EXECUTION]: The orchestration scripts launch.sh, relaunch-worker.sh, and kill.sh utilize unquoted heredocs (<<EOF) to generate JSON status files. This allows for shell command expansion of variables like ${_task} and ${WORKER_TASK}. If these fields in fleet.json contain shell metacharacters like $(...), the commands will be executed with the privileges of the user running the orchestrator.\n- [REMOTE_CODE_EXECUTION]: The orchestrator dynamically generates and executes shell scripts (.run.sh) to manage worker processes. While some input validation is present, the dynamic assembly of these scripts via string concatenation in worker-spawn.sh creates a risk surface for injection if validation logic is circumvented.\n- [EXTERNAL_DOWNLOADS]: The skill facilitates the use of external binaries codex and pi (associated with pi.dev). These represent external tool dependencies that execute with host permissions, though they are standard for the skill's multi-provider purpose.\n- [PROMPT_INJECTION]: The skill provides a surface for indirect prompt injection through its research worker type. \n
Ingestion points: Untrusted data is ingested from the web when research workers utilize search and fetch tools.\n
Boundary markers: Instructions are provided to workers for output directory isolation, but no technical markers prevent the processing of malicious instructions embedded in fetched data.\n
Capability inventory: Depending on the worker type, sub-agents can execute bash commands, write to the filesystem, and perform network operations.\n
Sanitization: There is no evidence of sanitization or filtering of external content before it is processed by worker agents.

dag-fleet