The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill ingests user input and project data (e.g., in Phase 1 and 2), which is then interpolated into prompts for subagents like the context-search-agent and action-planning-agent. While this is a common pattern for orchestrator skills, it presents a surface for indirect prompt injection if malicious content is present in the analyzed codebase.
Ingestion points: User goal and scope provided via arguments; project files analyzed via bash and glob tools.
Boundary markers: Phase documents use structured sections, but explicit delimiters to segregate untrusted data from instructions are not prominent in the orchestrator logic.
Capability inventory: Subprocess calls (Bash), file modifications (Write, Edit), and delegation to other agents with broad permissions.
Sanitization: Standard validation of session IDs and file existence is performed, but no specific sanitization of interpolated text was observed.
[COMMAND_EXECUTION]: The skill utilizes the Bash tool and platform-specific CLI tools (e.g., ccw) to perform repository analysis, directory management, and metadata updates. These operations are scoped to the project environment and are consistent with the skill's purpose.
[DATA_EXPOSURE]: The skill reads project structure, architecture patterns, and file contents to generate context packages for planning. This is the primary function of the tool and does not involve exfiltration to external or untrusted domains.

workflow-plan