The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs shell commands and jq filters using string interpolation of variables retrieved from local state files.
Evidence: The jq filters in Stage 2, 7, and 8 use shell variable interpolation (e.g., select(.project_number == '$task_number')). This allows for jq logic injection if the task number is manipulated to include jq operators.
Evidence: File paths in Stage 3 and 10 are constructed using the $project_name variable (e.g., specs/${padded_num}_${project_name}/...). Since this variable is sourced from state.json (which may be influenced by subagent output), a value containing path traversal sequences (e.g., ../../) could lead to unauthorized file operations.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by processing and propagating untrusted data from a subagent.
Ingestion points: Data is ingested from specs/${padded_num}_${project_name}/.return-meta.json, which is populated by the general-research-agent after performing external web searches.
Boundary markers: Absent. Subagent-provided strings like artifact_summary are interpolated directly into state.json, TODO.md, and the final return summary without delimiters or safety instructions.
Capability inventory: The skill possesses Bash, Write, Edit, and Git capabilities, allowing injected instructions to potentially modify project configuration, code, or repository history.
Sanitization: While jq is used for structural JSON integrity, there is no semantic validation or filtering of the natural language content to prevent it from carrying malicious instructions to the orchestrator agent.

skill-researcher