The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests untrusted user-provided plan text and interpolates it into prompts for subagents.
Ingestion points: Phase 1 extracts content from user-specified plan files, plan-mode buffers, or inline text into variables such as stated_goal and stated_steps (SKILL.md).
Boundary markers: Absent. The prompt templates for Subagent A and Subagent B fill placeholders with user content without utilizing explicit delimiters or providing instructions to ignore embedded commands.
Capability inventory: File system access (read/write), shell command execution via bash, and the ability to trigger and coordinate multiple AI subagents.
Sanitization: No evidence of sanitization, escaping, or validation of the plan content was found before it is processed by the AI agents.
[COMMAND_EXECUTION]: The skill uses local shell commands for repository mapping and environment verification.
Evidence: Phase 1 utilizes bash -c to execute find, grep, and awk commands to gather codebase context (SKILL.md). Additionally, the skill performs directory existence checks ([ -d <dir> ]) using paths extracted from the user's plan (stated_files), which presents a risk of command injection if the underlying agent platform executes these checks in a shell without proper validation.

harden-plan