The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): The scripts scripts/check-prerequisites.sh and scripts/common.sh contain relative path references (../../spec-kit/scripts/) to locations outside the skill's defined folder structure. Executing code from parent directories is a risk if the environment contains untrusted files or if the path resolution can be manipulated.
EXTERNAL_DOWNLOADS (LOW): The SKILL.md file contains a reference to https://github.com/user-attachments/files/23166782/reconcile.md. The user-attachments domain on GitHub is used for file uploads in issues/comments and does not carry the same trust level as a managed repository, making it a potential source of malicious data.
PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8).
Ingestion points: User-provided 'gap reports', local markdown files (spec.md, plan.md, tasks.md), and content from an external GitHub attachment URL.
Boundary markers: Absent; there are no clear delimiters or instructions to ignore embedded commands in the processed artifacts.
Capability inventory: The skill has the ability to execute shell scripts and perform file-write operations on the local filesystem.
Sanitization: None; the skill does not sanitize or validate the content of the 'gap report' or external references before processing.

spec-kit-reconcile