The Agent Skills Directory

[COMMAND_EXECUTION]: A shell command injection vulnerability exists in SKILL.md within the 'Phase 0: Dynamic Task Decomposition' section. The script extracts the user-provided project path or description from command-line arguments and stores it in the requirement variable. This variable is then directly interpolated into a command string executed via the Bash tool: ccw cli -p "... PROJECT TO ANALYZE: ${requirement}" .... An attacker can manipulate the shell execution environment by providing a requirement string containing shell metacharacters such as double quotes followed by ;, &, or | to execute arbitrary commands with the agent's privileges.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8), as its core function is to process untrusted project data.
Ingestion points: The skill ingests data from the entire project structure using the @**/* context in SKILL.md and specific file scopes in instructions/agent-instruction.md.
Boundary markers: The instructions use Markdown headers to separate context, but they lack explicit boundary markers or instructions to disregard directives found within the analyzed project files.
Capability inventory: The skill possesses extensive capabilities, including directory and file creation (Bash, Write), file reading (Read), and the ability to spawn additional agents (spawn_agents_on_csv).
Sanitization: There is no logic present to sanitize or escape project content before it is passed to the analysis tools or used to generate task descriptions for subsequent waves.

project-documentation-workflow