The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from the user's codebase and project configuration files to inform the specification generation process.
Ingestion points: The skill reads local files (e.g., package.json, pyproject.toml) and project source code during Phase 1 (Discovery) via the cli-explore-agent and subsequently incorporates this data into prompts for Gemini, Codex, and Claude.
Boundary markers: Analysis prompts use standard Markdown headings (e.g., === PRODUCT BRIEF ===) to delimit data, but lack explicit instructions for the AI to ignore instructions potentially embedded within the ingested codebase files.
Capability inventory: The skill has access to sensitive tools including Bash for command execution, Write for file system modifications, and Skill for triggering downstream implementation workflows (e.g., workflow-plan, issue:new).
Sanitization: There is no evidence of data sanitization or escaping of the ingested codebase content before it is interpolated into the Large Language Model prompts.
[DATA_EXFILTRATION]: During the discovery phase, the skill explores the local project structure and reads configuration and source files. This information is then transmitted to external AI providers (Google, OpenAI/Microsoft, and Anthropic) via the ccw CLI tool for processing. While these are well-known technology services, users should be aware that sensitive codebase metadata and snippets are sent externally to facilitate document generation.

spec-generator