The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The file 'templates/task-skill-instance.md' explicitly directs agents to include 'CONCRETE AND REAL' values such as 'the actual token' and 'actual IP address' in task skill files. This leads to the storage of sensitive credentials in plain text within the repository, where they may be committed and exposed.
[COMMAND_EXECUTION]: The workflow involves various shell commands, including 'git' for version control, 'tmux' for pane management, and 'kill' for process termination ('references/verification-subagent.md', 'references/error-recovery.md'). It also establishes persistent background monitoring using cron jobs ('references/guardian-setup.md'), which is a high-risk persistence mechanism.
[REMOTE_CODE_EXECUTION]: The skill uses dynamic orchestration to spawn subagents via 'Agent()' calls with prompts assembled from local files and teammate outputs ('references/prompt-assembly.md'). This dynamic prompt construction and execution of agent logic based on untrusted data constitutes a remote execution risk.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. 1. Ingestion points: The Lead agent processes data from 'docs/plans/', 'skills/', and teammate outputs. 2. Boundary markers: Prompts use structural parts (A-F) but lack explicit sanitization or instructions to ignore embedded malicious content. 3. Capability inventory: Includes spawning subagents with high-reasoning models (Opus), executing shell commands, and managing processes. 4. Sanitization: There is no mechanism to validate or sanitize subagent outputs before they influence the Lead's planning and execution logic.

aitc-workflow