The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is instructed in Step 5 to extract commands from the "Automated Verification" section of plan files and re-run them. This capability allows for the execution of arbitrary shell commands defined within markdown documents.
[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it ingests and acts upon untrusted data from markdown files found in the file system.
Ingestion points: Plan files located in thoughts/*/plans/ and their associated frontmatter fields.
Boundary markers: No explicit delimiters or instructions are provided to the agent to prevent it from following commands or logic embedded within the plan content.
Capability inventory: Shell command execution (Step 5), git diff operations (Step 3), and file system searching (Step 1).
Sanitization: The instructions provide a weak guardrail by asking the agent not to run "destructive" commands, but there is no technical validation or sanitization of the commands extracted from the plan files.
[COMMAND_EXECUTION]: Step 3 uses the git_commit field from a plan's frontmatter directly in a git diff command. If this field contains shell metacharacters, it could potentially lead to command injection.

verifying