The Agent Skills Directory

[COMMAND_EXECUTION]: The skill interpolates user-supplied or context-derived identifiers (such as <EPIC-ID> and <SPEC-IDs>) directly into shell commands, for example: bash "$REPO_ROOT/.agents/bin/chart.sh" deps <EPIC-ID>. If these identifiers are not strictly validated or escaped, they are vulnerable to command injection.
[COMMAND_EXECUTION]: The skill relies on executing multiple scripts located in the repository's .agents/bin/ directory (e.g., swain-session-check.sh, chart.sh, resolve-artifact-link.sh). This pattern assumes the integrity of the repository's local environment and scripts, which could be compromised in shared or untrusted repository contexts.
[PROMPT_INJECTION]: The skill processes untrusted data from .agents/session.json (which contains conversation history), git commit logs, and existing artifacts to synthesize summaries and reflection questions. This creates a surface for Indirect Prompt Injection, where malicious content embedded in logs or commits could attempt to override agent instructions during the retrospective process.
Ingestion points: .agents/session.json, git log, and EPIC/SPEC markdown artifacts.
Boundary markers: None observed in the instructions to delimit untrusted data.
Capability inventory: Includes shell command execution (bash, git, gh), file system modification (Write, Edit), and creation of Claude memory files.
Sanitization: No explicit sanitization or validation of the ingested external content is mentioned before it is used for synthesis or shell command arguments.

swain-retro