The Agent Skills Directory

[PROMPT_INJECTION]: The skill architecture is susceptible to indirect prompt injection. Data sourced from external issue trackers is processed and interpolated into prompts for solution generation and code implementation.
Ingestion points: Untrusted content enters the workflow in role-specs/explorer.md via ccw issue status, which is then passed to role-specs/planner.md and eventually role-specs/implementer.md.
Boundary markers: The prompt templates in role-specs/planner.md and role-specs/implementer.md use standard Markdown headers (e.g., ## Issue, ## Solution Plan) as delimiters. These markers are insufficient for preventing an adversary from embedding malicious instructions within the data fields.
Capability inventory: The skill possesses significant capabilities across its roles, including the Bash tool for running CLI commands, Write and Edit tools for file modification, and the Agent tool for spawning sub-agents.
Sanitization: There is no evidence of sanitization or strict schema validation for the external data before it is incorporated into executive prompts for the ccw cli tool.
[COMMAND_EXECUTION]: The skill relies heavily on the Bash tool to interact with local ccw CLI utilities for issue management and code implementation. While this is core to its intended functionality, the broad execution scope across all worker roles represents a significant capability tier.

team-issue