The Agent Skills Directory

[PROMPT_INJECTION]: The skill utilizes extremely prescriptive language (e.g., 'The Iron Law', 'MANDATORY', 'Violating the letter... is violating the spirit') to override default agent behavior and enforce a rigid multi-phase operational loop.\n- [PROMPT_INJECTION]: The skill has a significant indirect prompt injection surface. (1) Ingestion points: Error messages, logs, git diffs, web search results, and source code files. (2) Boundary markers: No delimiters or ignore instructions are present. (3) Capability inventory: Subprocess execution via Bash (curl, npm test) and parallel sub-agent spawning. (4) Sanitization: No escaping or validation of external content is performed before interpolation into sub-agent tasks.\n- [COMMAND_EXECUTION]: The utility script 'find-polluter.sh' executes 'npm test' on files identified by a user-provided glob pattern, facilitating the execution of arbitrary code within the test environment.\n- [CREDENTIALS_UNSAFE]: Phase 1 instructions and the 'defense-in-depth.md' documentation explicitly encourage the agent to instrument code to log sensitive environment variables (e.g., IDENTITY) and system security information (e.g., 'security list-keychains') to the console.\n- [DATA_EXFILTRATION]: The skill's tool configuration allows 'curl' GET operations. When combined with the instructions to log environment secrets, this creates a potential risk for data exfiltration via URL parameters to untrusted external domains.

systematic-debugging