The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to direct prompt injection as the TASK argument and state description are interpolated into sub-agent prompts without sanitization, allowing users to override agent instructions.
[PROMPT_INJECTION]: An indirect prompt injection surface exists via the Shared Discovery Board (discoveries.ndjson) and prep-package.json. Ingestion points: Sub-agents read discoveries.ndjson at start and Phase 1 loads prep-package.json. Boundary markers: None are used during interpolation. Capability inventory: Agents have access to Bash, spawn_agent, Read, and Write. Sanitization: Content is not validated before being passed to agents.
[DATA_EXFILTRATION]: The Requirements Analyst (RA) agent is instructed to fetch arbitrary URLs from user-provided configuration. This can be exploited for SSRF or to exfiltrate sensitive data via URL parameters if an agent is tricked into reading and sending local secrets.
[COMMAND_EXECUTION]: The skill orchestration encourages agents to run commands from shared state, such as test_command in the discovery board. Malicious manipulation of these fields can lead to arbitrary command execution by sub-agents.
[COMMAND_EXECUTION]: Agents are provided with high-privilege tools like Bash and spawn_agent to perform development tasks. The lack of strict isolation between processed data and tool inputs allows for potential command injection through malicious requirements or codebase content.

parallel-dev-cycle