The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): Use of bash() blocks with interpolated user input. The skill generates slugs by piping task descriptions through shell utilities in Mode 2 and 3. Evidence: Examples show bash(echo "..." | sed ...). Risk: If user-provided descriptions contain shell metacharacters like $(...) or backticks, it could lead to arbitrary command execution within the agent's environment.
[PROMPT_INJECTION] (HIGH): Indirect prompt injection surface identified. 1. Ingestion points: User-provided task description in Step 1.1 and 1.4. 2. Boundary markers: Absent; user content is interpolated directly into markdown headers in planning-notes.md. 3. Capability inventory: Skill uses Write() for file creation and bash() for shell execution. 4. Sanitization: Absent for file content; only folder-name slugging is performed. Risk: Malicious instructions in descriptions could compromise subsequent workflow phases when agents read the notes.
[EXTERNAL_DOWNLOADS] (LOW): Automated scanner detected a blacklisted URL in requirements.md. Although the file was not provided in the snippet, the automated scanner's detection of a malicious URL in the skill's project context suggests a potential supply chain or metadata risk.

workflow-plan-execute