The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it parses untrusted data to determine its execution flow. It reads trigger definitions and milestone status from files that could be influenced by external actors or malicious inputs during a project's lifecycle.
Ingestion points: The skill reads logic from skills/auto-trigger/SKILL.md and status indicators from various files in the docs/ directory.
Boundary markers: There are no explicit markers or 'ignore' instructions provided to the agent when processing these files, increasing the risk that embedded instructions in the documentation could hijack the orchestrator's logic.
Capability inventory: The skill possesses powerful capabilities including Bash, Write, Edit, and Read which can be used to modify the environment or exfiltrate data if the workflow is diverted.
Sanitization: No sanitization or schema validation is performed on the Markdown or YAML content read from the filesystem before it is used to trigger subsequent actions.
[COMMAND_EXECUTION]: The skill utilizes the Bash tool to verify milestones and project state.
Evidence: The skill documentation explicitly lists implementation steps using shell commands such as grep, ls, and cat to check file contents and existence. While used for legitimate tracking, this mechanism executes logic based on the internal content of the files being scanned.

workflow-orchestrator