The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool to perform a wide range of system operations, including file staging and committing with Git, running project-specific tests, and resolving environment blockers by installing dependencies (npm install, pip install).
[PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection because its core purpose is to ingest and execute instructions from an external PLAN.md file. It lacks boundary markers or sanitization logic to distinguish between legitimate plan tasks and malicious instructions embedded in the project data.
[COMMAND_EXECUTION]: Under its 'Deviation Rules' (Rules 1-3), the agent is explicitly instructed to automatically modify code, add functionality, and install missing dependencies without seeking user permission. This creates a risk where the agent might perform unintended or harmful system-level changes while attempting to 'fix' a project state derived from untrusted inputs.
[PROMPT_INJECTION]: Every indirect prompt injection finding requires documenting the following:
Ingestion points: The skill reads instructions and state from PLAN.md, STATE.md, and CONTEXT.md (found in SKILL.md).
Boundary markers: No specific delimiters or markers are defined to isolate untrusted data from the agent's command instructions.
Capability inventory: The agent has access to Bash, Read, Write, Edit, Grep, and Glob tools, enabling arbitrary file system access and shell command execution.
Sanitization: There is no evidence of sanitization, validation, or escaping of the content ingested from the plan files before it influences tool usage.

gsd-executor