The Agent Skills Directory

[COMMAND_EXECUTION]: The skill implements a job processing engine that executes shell commands defined in YAML frontmatter. The post_cmd and check_cmd parameters allow for the execution of arbitrary scripts or binaries with argument interpolation based on file names. Additionally, the skill references scripts located outside its own directory structure (e.g., ../../../scripts/swarm_run.py), which indicates an attempt to access or execute files from the parent host environment.
[DATA_EXFILTRATION]: The documentation explicitly instructs the agent or user to source ~/.zshrc to load environment variables for authentication. This action exposes the entire shell configuration, which typically contains sensitive credentials, private API keys, aliases, and other secrets, to the agent's context. Accessing such configuration files represents a high-risk data exposure vector.
[PROMPT_INJECTION]: The skill architecture creates a surface for indirect prompt injection by processing untrusted external files through a swarm of agents.
Ingestion points: Individual files provided via --files-from or discovered in directories via --dir.
Boundary markers: None identified; the system lacks clear delimiters or instructions to ignore embedded commands within the processed data from being interpreted by the sub-agents.
Capability inventory: The orchestrator has the ability to execute shell commands (post_cmd) and perform file writes based on agent output.
Sanitization: There is no evidence of validation or filtering for the content of processed files before they are passed to the LLM workers, allowing content within the files to potentially influence the orchestrator's behavior.

agent-swarm