The Agent Skills Directory

[COMMAND_EXECUTION]: The skill relies on executing local Python and PowerShell scripts (e.g., recursive-router-init.py, recursive-router-invoke.ps1) to manage routing logic. It also directly invokes external binaries such as codex, kimi, and opencode-cli.exe using system shell calls with arguments that include file paths and model parameters.
[DATA_EXFILTRATION]: By design, the skill transmits project data—including source code, diffs, and context bundles—to external model providers via their respective CLIs. This behavior is documented and includes instructions for the main agent to verify results to mitigate the risks associated with processing data from external sources.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from the repository (e.g., 'prompt bundles' or 'review bundles') and passes them to external models. The skill documentation specifically addresses this surface by requiring boundary markers and mandatory verification of all routed outputs.
Ingestion points: Prompt content is read from generated files like ./.recursive/run/<run-id>/router-prompts/code-reviewer-bundle.md.
Boundary markers: The skill references a 'canonical review-bundle contract' and requires 'exact output shape' instructions to maintain context boundaries.
Capability inventory: The skill utilizes subprocess execution for CLIs and file-system read/write operations via its core scripts.
Sanitization: The skill explicitly instructs the controller to reject routed output that is incomplete or off-contract and to perform verification against actual file diffs.
[CREDENTIALS_UNSAFE]: The skill accesses sensitive local configuration directories, such as ~/.codex/ and ~/.kimi/, to discover model aliases and cached metadata. It also interacts with authenticated CLI sessions for services like Opencode to retrieve available provider and model lists.

recursive-router