The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it fetches data from untrusted external sources (WebSearch, WebFetch) and processes it within a context that has high-privilege capabilities (Bash execution).
Ingestion points: The agent is instructed to use WebSearch and WebFetch to gather data, as well as Read to process local files like TASK.md and other work documents.
Boundary markers: There are no explicit delimiters or instructions provided to the agent to distinguish between its own operational instructions and potentially malicious instructions embedded in the external data it fetches.
Capability inventory: The agent has access to a powerful toolset including Bash, Write, Edit, Glob, Grep, and the ability to spawn Sub-agents.
Sanitization: No sanitization or validation protocols are defined for handling the content retrieved from external sources before it is used to influence the task queue or decision-making process.
[COMMAND_EXECUTION]: The instruction set explicitly mandates the use of system-level tools such as Bash for autonomous task execution. While this is the core intended functionality for a long-running execution agent, it provides a direct path for the agent to modify the local environment based on its internal logic or instructions received via indirect injections.

auto-task