The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill's core functionality is to ingest untrusted data from an external source and use it to drive high-privilege actions.
Ingestion points: Reads plan.md from a user-provided plan-path (Step 1).
Boundary markers: None detected. The skill directly parses the 'Execution strategy' and 'Parallelization Info' from the external file without isolation or validation.
Capability inventory: The skill orchestrates multiple high-privilege sub-agents (fullstack-developer, tester, git-manager) capable of file modification, code execution, and repository manipulation.
Sanitization: None detected. Decisions about parallel vs sequential execution and phase content are derived directly from the plan's structure.
Command Execution (MEDIUM): While not executing shell commands directly in the script, it triggers processes like 'type checking' and 'testing' (Step 2B, Step 3) based on the untrusted plan content. If the plan specifies malicious phases, these automated tools may be used to execute attacker-controlled logic.
Prompt Injection (LOW): Contains instructional markers like 'IMPORTANT' and 'Core Rule' which are common in agent instructions and are used here for operational control rather than malicious overrides.

code-parallel