The Agent Skills Directory

[COMMAND_EXECUTION]: The skill performs extensive execution of local Node.js scripts found in the .citadel/scripts/ and scripts/ directories, such as telemetry-log.cjs and momentum-read.cjs. It also invokes npm run propagate. These actions provide a vector for arbitrary code execution if the local project environment is compromised.
[PROMPT_INJECTION]: The orchestrator includes instructions to spawn sub-agents using mode: "bypassPermissions". This requests the platform to ignore standard security and permission constraints for the generated agents, effectively escalating their privileges and increasing the potential impact of sub-agent instructions.
[DATA_EXFILTRATION]: The skill uses telemetry scripts to log campaign and agent data. If these scripts are configured to report to external endpoints, they could be used to exfiltrate session-specific information or project metadata without explicit user consent.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface where untrusted data could influence agent behavior. Ingestion points: Content is read from CLAUDE.md, campaign files in .planning/campaigns/, and fleet session files. Boundary markers: No specific delimiters or safety instructions (e.g., "ignore embedded instructions") are used when including this data in sub-agent prompts. Capability inventory: Sub-agents are spawned with escalated privileges (bypassPermissions) and the skill has the ability to execute various shell commands and Node.js scripts. Sanitization: No sanitization or validation is performed on the content read from files before it is interpolated into prompts.

fleet