The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from external sources like codebase files, brainstorm reports, and GitHub issues to generate project specifications. Malicious content in these sources could potentially influence the agent's output or actions.
Ingestion points: Processes files provided via the -f flag and fetches GitHub issue details using gh issue view in steps/step-01-discover.md.
Boundary markers: Absent. There are no explicit delimiters or instructions to the agent to ignore instructions embedded within the ingested data.
Capability inventory: The skill can create directories, write files, and execute shell commands via the GitHub CLI and local scripts as seen in steps/step-03-issues.md and SKILL.md.
Sanitization: None detected. The skill lacks logic to sanitize or escape data fetched from external sources before including it in prompts or command arguments.
[COMMAND_EXECUTION]: The skill constructs and executes GitHub CLI commands in steps/step-03-issues.md that include content derived from external sources (e.g., workstream descriptions). While it uses heredoc patterns intended for safety, the lack of explicit sanitization of this content represents a potential command breakout surface if the input data contains malicious heredoc delimiters.

spec