The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill exhibits a significant vulnerability surface where malicious instructions in input data can influence agent output.
Ingestion points: The skill reads prd_and_epics, architecture, and stories (SKILL.md), which are external files often subject to collaborator input.
Boundary markers: Absent. The skill does not define delimiters or provide the agent with instructions to disregard embedded commands in the source documents.
Capability inventory: The skill is granted the Write tool and is explicitly tasked with 'Authoring executable artifacts (ATDD scenarios, scripts, dashboards)' (SKILL.md).
Sanitization: Absent. No logic is present to sanitize or validate external requirements before they are interpolated into scripts or strategies.
Command Execution (MEDIUM): Although the skill does not have a direct shell tool, its mission involves generating executable scripts using the Write tool. In the context of the identified injection vulnerability, this allows an attacker to indirectly achieve command execution by poisoning the requirements used to generate these scripts.
Metadata Poisoning (LOW): The skill uses auto-invoke: true based on broad keyword patterns like 'test' or 'QA'. While not inherently malicious, this increases the surface area for the skill to be triggered unexpectedly by malicious content in a shared workspace.

bmad-test-strategy