The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to execute the claude-9arm CLI tool and explicitly recommends the --allowedTools flag to grant the subagent autonomous execution of powerful tools including Bash, Read, Edit, and Write without requiring per-action user approval.\n- [PROMPT_INJECTION]: The skill advises bypassing the platform's primary safety mechanism by providing a configuration snippet to permanently allow the subagent to execute Bash commands without confirmation ({ "permissions": { "allow": ["Bash(claude-9arm:*)"] } }). This removes the human-in-the-loop requirement, allowing for silent, arbitrary shell command execution.\n- [DATA_EXFILTRATION]: The subagent is granted 'Read' and 'Bash' capabilities while routing activity through an external gateway. This creates a potential path for data exfiltration, as the subagent can be directed to read sensitive local files and transmit them externally without user oversight or consent.\n- [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface. Ingestion points: The subagent reads arbitrary project files, logs, and search results via the Read, Glob, and Grep tools. Boundary markers: Data is processed without explicit delimiters or warnings to ignore embedded instructions. Capability inventory: The subagent possesses powerful Bash, Edit, and Write capabilities as defined in SKILL.md. Sanitization: No sanitization or validation of the ingested content is performed, allowing malicious instructions in processed files to potentially hijack the subagent's high-privilege tools.

qwen-agent