The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through several data ingestion points where untrusted content can influence agent behavior.
Ingestion points: The /docs research command (as described in references/research.md) scans issue trackers, feature requests, support channels, and codebase comments (TODO, FIXME, HACK). This data originates from potentially untrusted users or external contributors.
Boundary markers: There are no explicit instructions or delimiters defined to isolate ingested content or warn the agent to ignore embedded instructions within these sources.
Capability inventory: The skill possesses high-impact capabilities including automated code implementation and shell command execution for verification (references/work.md), and the ability to modify project-wide agent policy files like AGENTS.md and CLAUDE.md (references/sync.md).
Sanitization: The skill does not mention any validation, escaping, or sanitization processes for the data retrieved from external trackers or code comments before it is used to generate roadmap items or influence implementation plans.
[COMMAND_EXECUTION]: The /docs work command involves executing shell commands to verify code implementations.
Evidence: references/work.md explicitly instructs the agent to "Run verification commands" as part of the build process. While necessary for the skill's primary purpose, these commands could be manipulated by malicious instructions ingested during the research phase.

docs