The Agent Skills Directory

[COMMAND_EXECUTION]: The workflow relies on executing local bash scripts to initialize task environments and update progress. Evidence: scripts/setup-templates.sh, scripts/update-progress.sh, and scripts/resume_lookup.sh are invoked across various steps. The setup-templates.sh script is also vulnerable to path traversal; if a user provides a malicious feature name (e.g., ../../target), the script may create directories or write files outside the intended output directory.\n- [REMOTE_CODE_EXECUTION]: The skill instructions direct the agent to pass raw user input (task descriptions and feature names) as arguments to bash scripts. This pattern is vulnerable to command injection if the input contains shell metacharacters like backticks, semicolons, or dollar signs. Evidence: In steps/step-00-init.md, the agent is told to run bash ${CLAUDE_SKILL_DIR}/scripts/setup-templates.sh "{feature_name}" "{task_description}" ... where these variables originate from raw user input.\n- [EXTERNAL_DOWNLOADS]: The skill uses the GitHub CLI (gh) to download issue content when provided with an issue reference. Evidence: Found in steps/step-01-analyze.md: gh issue view <number> --json title,body,labels,assignees,comments,milestone.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It ingests untrusted data from GitHub issues or local files and uses it as foundational context for implementation tasks without sanitization or protective boundary markers. Ingestion points include user input, GitHub issue content, and external context files. Boundary markers are absent as instructions do not specify using protective delimiters. Capability inventory includes file system modification, shell script execution, and spawning subagents with tool access. Sanitization is absent as external data is used directly to define implementation plans.

apex