The Agent Skills Directory

[PROMPT_INJECTION]: The skill architecture is susceptible to indirect prompt injection.
Ingestion points: The system ingests data from untrusted sources including the target codebase (in role-specs/architect.md and role-specs/reviewer.md), user-supplied requirements (in SKILL.md), and test output logs (in role-specs/tester.md).
Boundary markers: The prompts for sub-agents lack explicit security delimiters or random tokens to isolate system instructions from ingested content, relying solely on natural language headers like 'CONTEXT' and 'PURPOSE'.
Capability inventory: The sub-agents are granted high-privilege tools including Bash(), Write(), Edit(), and the ability to spawn recursive Agent() instances.
Sanitization: There is no documented mechanism for sanitizing or escaping ingested data before it is interpolated into the prompts for the worker agents.
[COMMAND_EXECUTION]: The skill performs extensive autonomous shell operations and code modifications.
Evidence: The role-specs/tester.md role implements an automated test-fix cycle that executes shell commands for testing (e.g., npm test, pytest) via the Bash tool.
Evidence: The tester role utilizes a vendor-provided CLI tool (ccw cli) to analyze test failures and autonomously generate and apply code fixes to the project files.
[EXTERNAL_DOWNLOADS]: The skill configuration includes infrastructure for managing third-party dependencies.
Evidence: The specs/team-config.json file defines an external_dependency_management feature that interacts with npm, pip, maven, and git for version validation and dependency analysis, creating a potential vector for the introduction of external code.

team-iterdev