The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's implementation guides (references/implement-guide.md and .ja.md) explicitly instruct the orchestrator to launch sub-agents with security-bypassing flags.
Evidence: Instructions to use claude --dangerously-skip-permissions and codex --dangerously-bypass-approvals-and-sandbox are provided for the cmux dispatch patterns. These flags disable safety filters and sandboxing, increasing the risk of unauthorized actions if the agent processes malicious input.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it incorporates external, potentially untrusted data into its execution flow without adequate protection.
Ingestion points: The skill reads GitHub issue bodies via gh issue view and parses local project files such as requirement.md, tasks.md, and issue-to-pr-workflow.md (SKILL.md Phases 3 and 4).
Boundary markers: No boundary markers (e.g., delimiters or explicit instructions to ignore nested commands) are used to separate user-controlled data from system instructions.
Capability inventory: The skill has the ability to execute shell commands (git, gh, cmux), create Pull Requests, and invoke other worker skills with elevated permissions.
Sanitization: There is no evidence of sanitization or validation of the data retrieved from issues or files before it is used to drive the orchestration logic.
[EXTERNAL_DOWNLOADS]: The skill documentation recommends the installation of external dependencies from a third-party source.
Evidence: The error handling section in SKILL.md suggests installing worker skills from the anyoneanderson/agent-skills repository using npx.

spec-implement