The Agent Skills Directory

[PROMPT_INJECTION]: The skill uses the mode: "bypassPermissions" configuration when spawning sub-agents via the Task tool in SKILL.md. This is a high-risk instruction that bypasses standard security filters and user permission prompts, allowing sub-agents to perform operations without oversight.
[COMMAND_EXECUTION]: SKILL.md includes a shell command execution pattern (!ls plans/) to list files in the host environment, which allows for arbitrary local command execution.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection due to how it handles external data. It ingests codebase summaries and user input and interpolates them directly into the instructions for the planner sub-agent.
Ingestion points: Step 2.5 of SKILL.md captures codebase details via an 'Explore' agent, and Step 1 captures user requirements via AskUserQuestion.
Boundary markers: No explicit delimiters or boundary markers (such as XML tags or unique markers) are used to separate the untrusted codebase content from the orchestrator's instructions.
Capability inventory: The spawned agents have extensive capabilities including Read, Write, Edit, Task, and Skill tools, while running in bypassPermissions mode which removes execution constraints.
Sanitization: No sanitization, validation, or escaping is applied to the data gathered from the codebase or the user before it is interpolated into sub-agent prompts.

create-plan