The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill instructs the agent to execute arbitrary shell commands found within the .plan.md files it processes. Specifically, references/structural-compliance-rules.md (Step 8b and Step 9) directs the agent to "run the verification commands" from the plan's YAML verifications: array and to "re-run each listed verification command." This allows for the execution of untrusted code sourced directly from the document being audited.
[COMMAND_EXECUTION]: The skill mandates the execution of shell commands for "Exit gates" (Analysis 0, Step 4) and verification metadata (Analysis 0, Step 9). These commands are sourced directly from the user-provided data, leading to an unsafe command execution pattern where the agent performs actions defined by potentially malicious external content.
[DATA_EXFILTRATION]: Because the skill enables arbitrary command execution based on untrusted input, it creates a direct vector for data exfiltration. A malicious plan could include commands designed to read sensitive files (such as SSH keys, .env files, or cloud credentials) and transmit them to an external server controlled by an attacker.
[PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection as its primary function is to ingest and act upon instructions and commands embedded within untrusted .plan.md files. There are no boundary markers, sanitization steps, or safety constraints described to prevent a malicious plan from hijacking the agent's behavior via these embedded commands.

tl-agent-plan-audit