The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill performs frequent subprocess calls to a local CLI tool (steward.py) with arguments derived from project data.
Evidence: Multiple commands in the 'Tool Mapping' section (e.g., python skills/project-steward/scripts/steward.py log --scenario "...") use dynamic string interpolation for arguments.
Risk: If the agent populates these arguments with unsanitized content from the codebase or user input, it may lead to command injection vulnerabilities depending on how steward.py or the underlying shell handles the input.
[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) due to its extensive data ingestion and high-privilege capabilities.
Ingestion Points: The scan command reads the entire codebase (AST-based), while other commands read docs/roadmap.md, docs/errors.md, and docs/memory.md (via SKILL.md workflows).
Boundary Markers: Absent. The instructions do not provide delimiters or warnings to ignore instructions found within the processed files.
Capability Inventory: The agent is authorized to edit code files, execute CLI scripts, and update project documentation.
Sanitization: Absent. There is no mention of validating or escaping external content before it is processed or used in commands.
Risk: Malicious instructions hidden in code comments or bug reports could trick the agent into performing unauthorized file modifications or executing arbitrary commands during automated workflows like 'Standard Fix Process'.
[DATA_EXFILTRATION] (MEDIUM): The 'Code Navigator' and 'Memory Manager' capabilities allow the agent to traverse the entire project structure and aggregate context.
Risk: While no direct network exfiltration is visible, the agent's ability to summarize and consolidate project data (via steward.py memory) could be leveraged via indirect injection to move sensitive data (like hardcoded keys found during a scan) into less-protected documentation files.

project-steward