The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes data from external milestone summary files (*-SUMMARY.md) to identify integration points and endpoints for testing.
Ingestion points: Data is ingested from the .planning/phases/ directory via cat and grep commands in Step 1 and Step 2.
Boundary markers: Absent. The skill does not use delimiters or instructions to prevent the agent from following malicious commands embedded in the summary files.
Capability inventory: The skill utilizes Bash, WebFetch (via curl), and database tools (npx prisma), which could be leveraged if the agent is misled by injected content.
Sanitization: Absent. There is no evidence of validation or escaping for the URLs or parameters extracted from the untrusted summary files.
[COMMAND_EXECUTION]: The skill performs several command-line operations that interact with the system and environment.
Uses bash to search the filesystem (find), read files (cat), and search for patterns (grep).
Executes npx prisma studio execute in Step 6 to run database queries. If table names or query parameters are influenced by the milestone context, this could lead to unauthorized data access.
[DATA_EXFILTRATION]: The skill contains logic designed to access and test sensitive credentials, which creates an exposure surface.
Step 3 explicitly instructs the agent to search for API_KEY, SECRET, and TOKEN within the source code (src/api/external-service/route.ts).
The use of curl to test endpoints allows for data to be sent to external or local services. If an attacker-controlled milestone summary specifies a malicious URL, the agent could inadvertently exfiltrate configuration data or secrets during the verification process.

gsd-integration-checker