The Agent Skills Directory

[COMMAND_EXECUTION]: The skill allows the execution of arbitrary shell commands provided via the metric parameter. These commands are executed directly in the project environment (or a worktree), providing a vector for full system access.
[DATA_EXFILTRATION]: Because the metric input accepts raw shell commands, a malicious actor could provide a command that reads sensitive files (such as .env, .aws/credentials, or SSH keys) and exfiltrates them via tools like curl or wget during the evaluation loop.
[REMOTE_CODE_EXECUTION]: The skill's automated iteration logic executes the provided metric shell command multiple times. This allows for the persistent execution of arbitrary scripts or binaries under the guise of measuring performance metrics.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its recursive file-modification behavior.
Ingestion points: The skill reads and modifies files defined by a user-provided glob pattern in the scope parameter.
Boundary markers: No specific boundary markers or 'ignore instructions' guards are present when the sub-agent processes the source files.
Capability inventory: The skill possesses extensive capabilities, including shell command execution (metric command), file system write access, and Git operations (worktree, stash).
Sanitization: There is no sanitization or validation of the contents of the files in the scope before they are processed by the agent, allowing malicious comments or strings in the source code to potentially hijack the agent's logic.

experiment