The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection attacks where malicious instructions embedded in implementation plans could be executed by subagents.
Ingestion points: Implementation plans (referenced as docs/plans/feature-plan.md in examples) are read in SKILL.md and their content is interpolated into prompts for subagents in implementer-prompt.md and spec-reviewer-prompt.md.
Boundary markers: Absent. The task text is inserted into prompts without specific delimiters or instructions to the subagents to ignore potential instructions embedded within the plan text.
Capability inventory: The implementer subagent is granted capabilities to modify the codebase, write and execute tests, and perform git commits via the general-purpose tool and environment access.
Sanitization: Absent. No evidence of validation or filtering is performed on the content of the plan files before they are processed by the agent.

subagent-driven-development