The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is instructed to "Run the phase's automated checks" (such as tests, linting, or build processes) and is explicitly permitted to "write and run temporary scripts to verify the behavior." These actions are driven by content found within implementation plans, allowing for the execution of arbitrary shell commands or scripts.- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and acts upon instructions from external files. An attacker who can influence the content of a plan file in rpi/plans/ or any file referenced by a plan could cause the agent to perform unauthorized actions. Ingestion points: Plan files in rpi/plans/ and all files referenced within those plans. Boundary markers: None; the agent is told to read the plan "completely" and follow its "intent." Capability inventory: The skill has the ability to read and write to the filesystem (code changes, plan updates) and execute subprocesses (automated checks and temporary scripts). Sanitization: There is no mention of validating, escaping, or filtering instructions or commands extracted from the plan files before execution.

rpi-implement-plan