The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to take external objectives (e.g., 'Build user authentication') and translate them into actionable plans and code implementations. This creates a vulnerability where untrusted data (like issue descriptions or requirements) can influence the agent's actions.
Ingestion points: objective parameter in orchestrator.initialize() and the feature list generated or loaded during the PLAN phase.
Boundary markers: None defined; the system lacks clear delimiters between system instructions and untrusted task descriptions.
Capability inventory: Full write access to the project directory, execution of code/tests, and Git version control operations.
Sanitization: No sanitization or validation of the generated implementation steps is mentioned.
Dynamic Execution (HIGH): The orchestration flow includes an 'EXECUTE' phase described as a 'TDD implementation loop'. This implies the skill writes code and immediately executes it (via tests or direct runs) to validate functionality. If the generation process is compromised via prompt injection, the agent will execute malicious code with the permissions of the local environment.
Command Execution (MEDIUM): The 'COMMIT' phase suggests interaction with the Git CLI. Without strict validation of commit messages or file paths derived from the 'PLAN' phase, this could be exploited for command injection depending on the underlying implementation in autonomous_orchestrator.py.

ac-autonomous-orchestrator