The Agent Skills Directory

[COMMAND_EXECUTION]: The skill deploys and runs shell scripts (loop.sh, loop-worktrees.sh) that automate Claude sessions. These scripts utilize the --dangerously-skip-permissions flag, which disables the platform's standard human-in-the-loop confirmation for sensitive tool executions like arbitrary shell commands or file writes.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because the autonomous loop ingests and implements instructions from external files like IMPLEMENTATION_PLAN.md and CLAUDE.md. While the script includes instructions to treat these files as data, the worker agent's primary goal is to carry out the tasks defined within them. The absence of tool execution permissions significantly increases the impact of malicious tasks injected into these files.
Ingestion points: IMPLEMENTATION_PLAN.md, CLAUDE.md, and loop/handoff.md (via loop.sh and prompt.txt);
Boundary markers: Present as 'READ AS DATA' instructions, though the agent is simultaneously instructed to implement tasks from these sources;
Capability inventory: Full file system access and shell command execution via the claude CLI;
Sanitization: None; the agent processes and implements the raw contents of the plan files.

looping-tasks