The Agent Skills Directory

[COMMAND_EXECUTION]: The skill frequently executes shell commands to manage development state. Specifically, it uses git rev-parse to capture baseline commits and git diff to generate code reviews in step-01-mode-detection.md and step-05-adversarial-review.md. It also explicitly instructs the agent to run project-specific test suites in step-03-execute.md and step-04-self-check.md, which involves executing arbitrary code defined within the project environment.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes content from external files (tech-specs and project-context) that could contain malicious instructions.
Ingestion points: The skill loads a user-specified file path as a tech-spec in step-01-mode-detection.md and reads existing code/documentation for context in step-02-context-gathering.md.
Boundary markers: The instructions do not define strict delimiters or 'ignore' instructions for the content being read from these files.
Capability inventory: The agent has the capability to write files to the project directory and execute shell commands (Git, tests) as seen in step-03-execute.md and step-05-adversarial-review.md.
Sanitization: No sanitization or validation logic is applied to the content of the tech-specs or project context files before they influence the agent's task list and implementation plan.
[DATA_EXPOSURE]: In step-01-mode-detection.md, the skill accepts an arbitrary file path from the user to be loaded as a 'tech-spec'. If the agent is not constrained by its environment, this mechanism could be abused to read sensitive files (e.g., configuration secrets or SSH keys) if they are passed as the tech-spec path.

bmad-quick-dev