The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection because its core logic depends on processing potentially untrusted data from local files. * Ingestion points: The skill uses Read, Glob, and Grep tools to scan and analyze files within the docs/devdocs/ directory (e.g., 01-requirements.md, 00-context.md) to determine the current project phase. * Boundary markers: There are no explicit delimiters or instructions provided to the agent to disregard instructions that might be embedded within the documentation it reads. * Capability inventory: Based on its findings, the skill uses the Task tool to invoke other powerful AI agent skills (e.g., /devdocs-requirements, /devdocs-system-design), creating a chain of execution that can be influenced by the ingested data. * Sanitization: The skill does not perform any validation or sanitization of the documentation content before using it to decide the next stage of the workflow. Mitigations: Implement strict schema validation for phase detection and wrap external content in delimiters with explicit 'ignore embedded instructions' warnings.

devdocs-pipeline