The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is designed to ingest and process untrusted external content (existing project files) and has the capability to perform write operations (modifying frontmatter, renaming files, creating directories).
Ingestion points: Scans and reads content from all .md and .yaml files within intent/, planning/, and module-level intent/ directories.
Boundary markers: Absent. There are no instructions to the agent to treat file content as data only or to ignore embedded natural language instructions that might conflict with the skill's logic.
Capability inventory: File system write access including frontmatter injection, directory creation (records/, _archive/, _data/), and file renaming based on content analysis.
Sanitization: Absent. The skill uses heuristic keyword matching (e.g., searching for 'code analysis', 'refactor') to determine metadata types, which can be easily manipulated by an attacker to misclassify files or trigger unexpected agent behaviors.
[COMMAND_EXECUTION] (MEDIUM): While the skill uses high-level agent tools, it performs broad file system mutations (recursive scanning and bulk modification) across the project structure. Without strict path validation, this could be leveraged to modify unintended files if the agent is misled by the content of the files it is 'normalizing'.

intent-normalize