The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection during its orchestration flow. In the run command, the orchestrator retrieves task context (subject and description) from external backends like Beads or Claude Tasks and interpolates this data directly into the instructions for sub-agents without using boundary markers, delimiters, or sanitization. This provides an attack surface where malicious task content could hijack sub-agent behavior. Additionally, the apply-lessons command extracts 'lessons' from agent logs and converts them into persistent behavioral rules in CLAUDE.md or .claude/rules/. If these logs are poisoned by injected content, it could lead to the persistent modification of the agent's core instructions.
[COMMAND_EXECUTION]: The orchestrator relies on the Bash tool for several critical operations, including lock management in .jdi/locks/, state tracking via the .jdi/status file, and extracting decision keywords from agent outputs using utilities like tail and grep. The included just-do-it.sh script also uses shell commands to manage the agent's execution loop.
[EXTERNAL_DOWNLOADS]: The init command and sample skill templates reference external dependencies, such as the 'Beads' CLI tool, as prerequisites for specific task-management backends.

jdi