The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill's core functionality is to ingest external project data and integrate it into the agent's reasoning context, creating a significant attack surface. • Ingestion points: Data is retrieved from external sources via VectorDatabase.search (sub-skills/1-semantic-vector-search.md) and project file identifiers. • Boundary markers: The provided instructions and sub-skills lack any delimiters or 'ignore' warnings for the rehydrated content. • Capability inventory: The skill uses the context-restore CLI tool and performs decision-making based on retrieved 'historical impact' scores (sub-skills/2-relevance-filtering-and-ranking.md). • Sanitization: There is no evidence of sanitization or structural validation for the data returned from the vector database before it is rehydrated into the session.
[Command Execution] (LOW): The documentation (sub-skills/workflow-2-cross-project-knowledge-transfer.md) directs the agent to execute the context-restore command with various flags. This is considered low risk on its own but facilitates the impact of an indirect injection if command arguments are influenced by poisoned context.

code-refactoring-context-restore