The Agent Skills Directory

[COMMAND_EXECUTION]: The skill performs various system operations using the 'sefirot' CLI and git. It specifically executes sefirot loop, git merge, and git worktree remove as part of its core logic.
The Builder and Verifier agents execute arbitrary validation and testing commands specified in the project's CLAUDE.md file, which could lead to unintended command execution if the project configuration is malicious.
[EXTERNAL_DOWNLOADS]: The skill directs users to install the sefirot Python package from an external registry (PyPI) if it is missing from the environment.
[PROMPT_INJECTION]: The skill contains an indirect prompt injection surface where external data (user answers) is used to influence agent behavior.
Ingestion points: User answers collected during the 'loop' execution are written directly into design documents (e.g., in SKILL.md Step 2).
Boundary markers: User input is appended under a markdown header #### 追加指示（ユーザー回答）, which provides limited protection against adversarial input.
Capability inventory: The Builder agent (prompts/builder.md) can write files and execute arbitrary shell commands defined in CLAUDE.md. The Verifier agent (prompts/verifier.md) can perform git branch management and deletions.
Sanitization: There is no evidence of input validation or sanitization to prevent the user-provided answers from containing malicious instructions that override the agent's primary task.

loop