The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted data from project files and interpolates it into prompts for multiple sub-agents (Advisors, Reviewers, and Chairman) without robust sanitization or strict boundary markers.
Ingestion points: Automatically scans and reads workspace files including CLAUDE.md, the memory/ directory, and previous transcript files to enrich the decision context.
Boundary markers: The skill uses basic structural delimiters like --- in its templates but lacks explicit instructions to the sub-agents to ignore or treat embedded commands within the context as non-executable data.
Capability inventory: The skill performs file system reads via Glob and Read calls, spawns 11 sub-agents in a sequential/parallel chain, and writes session transcripts to the local disk.
Sanitization: There is no evidence of escaping, filtering, or validating the content of the files read before passing them to the sub-agent chain.
[COMMAND_EXECUTION]: The skill instructs the agent to perform environment-altering operations, specifically using Glob and Read tools to access project context and writing detailed transcript files (council-transcript-*.md) to the current working directory.

council