The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is configured with the Bash tool and directs the agent to execute shell commands derived from the project files it is analyzing to "verify each step works."
Evidence: The markdown body contains the instruction: "Don't just read the README — actually verify each step works on the current system," and provides templates for executing arbitrary commands found in the repo (e.g., npm run dev, python manage.py migrate).
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because it ingests and processes content from a variety of untrusted files as instructions for its workflow.
Ingestion points: The skill reads package.json, .env.example, docker-compose.yml, README.md, and other project-specific configuration files (SKILL.md).
Boundary markers: Absent. There are no delimiters or instructions to the agent to treat the content of these external files as untrusted data or to ignore embedded commands.
Capability inventory: The skill allows the use of Bash, Read, Grep, and Glob tools, providing a powerful execution environment for any instructions injected via project files.
Sanitization: None. The skill does not describe any methods for validating or escaping the strings retrieved from the filesystem before they are used in commands.
[EXTERNAL_DOWNLOADS]: The skill automates the use of package managers that download and execute code from public registries based on potentially malicious configuration files.
Evidence: The workflow includes automated steps for npm install, pip install, composer install, and bundle install, which fetch dependencies from external sources without prior verification of the repository's integrity.

setup-guide