The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the processing of untrusted implementation plans or inline task lists.
Ingestion points: Plan files (e.g., .claude/reference/phase-10-task-plan.md, docs/plans/plan.md) or inline semicolon-separated strings provided in $ARGUMENTS.
Boundary markers: Data is interpolated into role-specific system prompt templates (e.g., prompt-templates/backend-impl.md) using delimiters like {{TASK_DESCRIPTION}} and {{TASK_FILES}}.
Capability inventory: The orchestrator uses the Bash tool to execute build commands, tests, linters, and to spawn sub-agents with file-system access.
Sanitization: No explicit sanitization or escaping of task descriptions or file lists from the plan is described before they are included in sub-agent prompts.
[COMMAND_EXECUTION]: The skill executes arbitrary shell commands defined in the verify_command field of input plan metadata. This is used to run validation suites (pnpm build, vitest, pnpm lint) to confirm task completion.
[REMOTE_CODE_EXECUTION]: In headless mode, the skill spawns independent claude -p processes using the --dangerously-skip-permissions flag. While the agent's capabilities are restricted using the --allowedTools flag to a set of development tools (Bash, Edit, Write, Read, Glob, Grep), it remains a high-privilege execution pattern.

orchestrate