The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses Bash(npm:*,npx:*) to execute local project scripts such as npm run feature:validate and npm run feature:health. While these are standard development workflows, the broad permission allows execution of any script defined in the project's package.json or any package via npx.
[DATA_EXFILTRATION]: The manifest schema explicitly encourages tracking sensitive configuration metadata in fields like dependencies.env_vars and dependencies.secrets. While it tracks names rather than values in the examples, this creates a centralized map of sensitive assets within the codebase which could be targeted or accidentally exposed in agent outputs.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection.
Ingestion points: The agent is instructed to read manifest files (e.g., feature-id.yaml) which include free-text description and changelog fields.
Boundary markers: There are no explicit instructions or delimiters defined to prevent the agent from following instructions embedded within these manifest files.
Capability inventory: The agent has Read, Write, Edit, and Bash capabilities, which could be abused if it obeys instructions found inside a manifest.
Sanitization: There is no evidence of sanitization or validation of the content within the manifest descriptions before the agent processes them.

feature-manifest