The Agent Skills Directory

[PROMPT_INJECTION]: The skill's prompt templates, specifically in references/templates/exec.tmpl.md and scripts/render-task-prompts.sh, include a mandatory 'SUBAGENT-STOP' prefix. This instruction set commands the AI to 'SKIP ALL META-SKILLS' and 'DO NOT READ SKILL FILES,' which functions as a behavioral override attempt.
[COMMAND_EXECUTION]: The orchestration scripts (e.g., scripts/run-fleet.sh and scripts/setup-worktree.sh) are designed to run various development commands including npx prisma generate and auto-detected test runners like pnpm test. While necessary for the skill's function, this permits execution of commands defined within the target codebase.
[PROMPT_INJECTION]: The skill possesses a significant surface for indirect prompt injection.
Ingestion points: External data is ingested from inputs.txt in batch mode, tasks.json in exec mode, and the source code content of branches in review mode.
Boundary markers: Templates use markdown headers (e.g., # Input) to separate instructions from ingested data, but the documentation notes these markers are fragile.
Capability inventory: In run-fleet.sh, run-batch.sh, and run-single.sh, the codex exec command is utilized with the --dangerously-bypass-approvals-and-sandbox flag, providing the agent with unrestricted filesystem access and network egress.
Sanitization: Ingested content is interpolated directly into prompts without sanitization; only filenames derived from the data are passed through a slugify function.

orchestrate-codex