The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes external commands via maestro delegate and bash. While the implementation correctly attempts to mitigate shell injection by writing the prompt to a temporary file (/tmp/iss-analyze-...) rather than passing it directly as a CLI argument string, the underlying data remains unvalidated.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its handling of untrusted data from the issues.jsonl file.
Ingestion points: The skill reads title, description, and context fields from .workflow/issues/issues.jsonl in Step 1. This file represents an external data source that could be influenced by malicious actors (e.g., via a bug report or feature request).
Boundary markers: The skill lacks explicit boundary markers or "ignore previous instructions" warnings when interpolating the issue description into the prompts for spawn_agent (Step 2) and maestro delegate (Step 3).
Capability inventory: The skill possesses significant capabilities, including Bash (shell access), Read and Write (filesystem access), and the ability to orchestrate other agents (spawn_agent). A malicious instruction hidden in an issue title could potentially manipulate the Bash command or influence the analysis record written back to the filesystem.
Sanitization: While the ISS-ID is validated against a strict regex, the title and description fields are used raw without sanitization, filtering, or escaping of potentially malicious LLM instructions.

manage-issue-analyze