The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from a user-provided inputs.txt file and interpolates it into a prompt template without using boundary markers or content sanitization. Malicious instructions within the input list could potentially hijack the behavior of the underlying LLM CLI.
Ingestion points: The inputs.txt file is processed by scripts/render-prompts.sh to generate per-input prompt files.
Boundary markers: The skill does not enforce or recommend the use of delimiters (e.g., XML tags or specific markers) around the interpolated user data in template.md to distinguish it from system instructions.
Capability inventory: The resulting prompts are executed via codex exec in scripts/run-batch.sh. This tool has the capability to execute shell commands and modify the filesystem.
Sanitization: While the skill correctly sanitizes filenames and shell variables, the text content substituted into the prompts remains unvalidated.
[COMMAND_EXECUTION]: The skill's runner script (scripts/run-batch.sh) is designed to execute the codex CLI using the --dangerously-bypass-approvals-and-sandbox and --skip-git-repo-check flags. Although these flags are documented as necessary for non-interactive parallel processing, they remove critical security boundaries, which increases the potential impact of a successful prompt injection attack.

run-batch-codex-research