The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests data from the project codebase and user-provided descriptions, which are then used to construct prompts for the ccw cli tool and worker agents. A malicious file within the project repository could inject instructions that influence the agent's planning and implementation phases.
Ingestion points: Codebase exploration (via Glob and ccw cli), user task descriptions, and internally generated planning artifacts (e.g., IMPL-*.json).
Boundary markers: None identified; untrusted content is directly interpolated into instruction templates.
Capability inventory: Execution of Bash commands, spawning of Agent workers, and file system modifications via Write and Edit.
Sanitization: The skill lacks explicit sanitization or validation logic for external content before it is processed by sub-agents or CLI tools.
[COMMAND_EXECUTION]: The skill makes extensive use of the Bash tool for workflow orchestration, directory management, and running development utilities like tsc or lint. This broad range of capabilities increases the potential impact if the agent's logic is subverted through malicious input.

team-roadmap-dev