The Agent Skills Directory

[COMMAND_EXECUTION]: Unsafe variable interpolation in shell scripts. In Stage 3, the project_name variable (sourced from state.json) is used directly in a directory path and inside a heredoc block. If the project name contains shell metacharacters or command substitutions (e.g., $(command)), they may be executed by the shell during file creation.
[COMMAND_EXECUTION]: JQ filter injection. In Stage 2, the $task_number variable is interpolated directly into the jq filter string using shell concatenation instead of being passed as a safe argument via the --arg or --argjson flags. This allows an attacker who can control the task number to manipulate the logic of the JSON update.
[DATA_EXFILTRATION]: Risk of accidental data exposure via broad git commands. The skill uses git add -A in Stage 9, which stages all changes in the current repository. If sensitive files, environment variables, or temporary credentials were created or modified during the session, they would be automatically committed to the git history.
[PROMPT_INJECTION]: Indirect prompt injection surface identified. The skill ingests untrusted data from specs/state.json (such as description and project_name) and a user-provided focus_prompt, which are then passed to a subagent via the Task tool without sanitization.
Ingestion points: specs/state.json (metadata fields) and the focus_prompt input.
Boundary markers: None present; data is passed directly into the tool prompt.
Capability inventory: The skill and its subagent have access to Bash, Edit, Write, and Task tools.
Sanitization: No validation or escaping is performed on external content before interpolation.

skill-nix-research