The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool for several operations, including determining the project root, creating session directories, and identifying the project's programming language. Crucially, in the execution phase (Phase 5), it is designed to run arbitrary shell commands defined in the convergence.verification field (e.g., npm test, jest, npx tsc) and perform file system modifications.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It ingests untrusted data from the local codebase through Grep, Glob, and Read operations during the 'Exploration' phase. Because the findings from this data are used to generate 'Recommendations' and 'Implementation Steps' that the agent may later execute, an attacker could place instructions inside a source code file's comments or documentation to manipulate the agent's behavior.
Ingestion points: Reads files from the codebase (detected Node.js, Python, Go, etc.) using search tools in Step 2.1.
Boundary markers: The skill does not implement explicit boundary markers or 'ignore' instructions when processing codebase content for the discussion.md or conclusions.json files.
Capability inventory: The skill has high-privilege capabilities including Bash command execution, Write, Edit, and Read across the entire project directory.
Sanitization: There is no evidence of sanitization or validation of the content read from files before it is interpolated into analysis summaries or task implementation steps.
[REMOTE_CODE_EXECUTION]: While the skill does not download external scripts directly from the internet, it demonstrates dynamic code execution (Category 10) by generating .task/*.json files at runtime based on its analysis. It then interprets and executes the steps defined within these dynamically created files, which is a high-risk pattern if the source analysis was compromised.

analyze-with-file