The Agent Skills Directory

Prompt Injection (LOW): The skill is susceptible to indirect prompt injection because it ingests and processes untrusted implementation plans that could contain hidden instructions to manipulate the agent's behavior. Evidence Chain: 1. Ingestion points: The plan-path file content is read via !cat $0 (SKILL.md). 2. Boundary markers: Absent; instructions tell the agent to reproduce the plan text exactly. 3. Capability inventory: WebSearch, WebFetch, Write, Grep, Glob (SKILL.md). 4. Sanitization: No sanitization or filtering of the input plan content is performed.
Command Execution (LOW): The use of the !cat $0 construct to read the file provided by the user in $0 presents a minor risk of path traversal or arbitrary file access if the underlying system does not validate that the path remains within intended project boundaries.

validate-implementation-plan