The Agent Skills Directory

Prompt Injection (LOW): The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted plan files. * Ingestion points: Tasks and validation steps are extracted from external markdown files (e.g., plan.md) in Step 2. * Boundary markers: Content from the plan file is interpolated into the subagent prompt template (e.g., [Full description], [Tests or verification from plan]) without delimiters or safety warnings. * Capability inventory: The skill directs subagents to read, edit, and create files and execute arbitrary validation/test commands in Step 4 and Step 6. * Sanitization: No sanitization or validation is performed on the ingested text before it is presented as instructions to subagents.
Command Execution (SAFE): The orchestrator is designed to run tests and validation commands to verify task completion. Although this is a powerful capability, it is considered safe in this context as it is the primary intended function of the skill, and its severity is reduced by the use-case.

super-swarm