The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts check-prerequisites.sh, setup-plan.sh, and update-agent-context.sh utilize eval $(get_feature_paths) to load configuration variables. This function constructs a shell script in memory using directory names found in the specs/ folder and executes it. While the skill's own directory creation logic includes sanitization, using eval on strings derived from the file system is a pattern that could be exploited if an attacker manages to create maliciously named directories.- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by writing untrusted user input into agent context files.
Ingestion points: Feature descriptions via create-new-feature.sh and plan.md content via update-agent-context.sh.
Boundary markers: None identified in the generated agent context files (e.g., CLAUDE.md, GEMINI.md).
Capability inventory: The skill has broad file-write access to the repository root and shell execution capabilities within the agent environment.
Sanitization: Content is passed through sed for escaping before being written to files, but there is no semantic validation or filtering of the injected instructions.- [SAFE]: The skill operates entirely within the local file system and git repository. No external network requests, data exfiltration, or credential access patterns were detected. It is derived from well-known public repositories under the trusted github organization.

spec-kit