Drop a SKILL.md into a repo. Codex or Claude picks it up. Now it's running instructions you didn't write.
No exploit needed. It's just how skill loading works.
The idea is simple: your agent should not trust whatever happens to be sitting in .agents/skills.
First open-source project, so please break it.
