The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): The skill workflow involves executing several shell scripts (scripts/setup-plan.sh and scripts/update-agent-context.sh). The source code for these scripts is not provided within the skill; they contain relative path references (../../spec-kit/scripts/...) to a parent/sibling directory. This assumes a specific, unverified environment and executes code that is not part of the analyzed package.
EXTERNAL_DOWNLOADS (LOW): The skill references an external repository on GitHub (github/spec-kit). While 'github' is a trusted organization, the dependency on external code via relative paths is a concern for portability and security. Per [TRUST-SCOPE-RULE], the reference to the trusted organization is downgraded, but the script execution behavior remains a finding.
PROMPT_INJECTION (SAFE): The skill uses instructional language to guide the agent but does not contain patterns attempting to bypass safety filters or override system constraints.
DATA_EXFILTRATION (SAFE): The skill reads local files such as spec.md and constitution.md and writes to other local files. There are no detected network operations or attempts to send this data to external domains.
INDIRECT_PROMPT_INJECTION (LOW): The skill has a potential attack surface for indirect prompt injection.
Ingestion points: spec.md, memory/constitution.md
Boundary markers: Absent. The skill does not define specific delimiters to separate untrusted data from instructions.
Capability inventory: Executes shell scripts (setup-plan.sh, update-agent-context.sh) and modifies agent context files (AGENTS.md, CLAUDE.md).
Sanitization: Not detected. The skill processes the content of these files directly into documentation and configuration.
DYNAMIC_EXECUTION (MEDIUM): The skill uses a redirection pattern for its scripts, essentially loading executable logic from a computed relative path (../../spec-kit/).

spec-kit-plan