The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its handling of untrusted data.
Ingestion points: In batch mode, scripts/render-prompts.sh ingests data from an external inputs file. In exec and single modes, scripts/render-task-prompts.sh wraps raw description files (e.g., tickets, issues) into prompt files.
Boundary markers: The skill uses markdown headers like # Intent and # Input as delimiters, but lacks explicit instructions for the model to ignore embedded instructions within the substituted content.
Capability inventory: AI agents are executed using the codex CLI with the --dangerously-bypass-approvals-and-sandbox flag, which allows full filesystem write access and network egress across all scripts.
Sanitization: No escaping or filtering is performed on external content before it is interpolated into the prompts.
[COMMAND_EXECUTION]: The skill performs various system and build-related commands as part of its normal operation.
Evidence: Scripts such as scripts/run-fleet.sh and scripts/setup-worktree.sh execute commands like git, npx prisma generate, and various test runners (pnpm test, npm test, cargo check).
Context: These executions are necessary for managing git worktrees and validating code changes produced by the agents.
[EXTERNAL_DOWNLOADS]: The skill enables outbound network access during agent execution.
Evidence: The configuration in scripts/codex-flags.sh explicitly uses the sandbox bypass flag for the codex CLI.
Context: This capability is documented as intended to support use cases such as web searches, vulnerability scanning, and fetching dependency information.

use-codex