The Agent Skills Directory

[Prompt Injection] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its high-privilege capabilities combined with untrusted data ingestion.
Ingestion points: The skill accepts arbitrary input via the $ARGUMENTS variable in SKILL.md within the <tasks> tags.
Boundary markers: XML-style tags (<tasks>) are used to delimit input, which provides some structure but is insufficient to prevent an attacker from escaping the context or overriding instructions.
Capability inventory: The skill workflow includes file modification (implementation phase and documentation updates) and command execution (type-check, compile, and Run relevant tests in SKILL.md).
Sanitization: There is no evidence of input validation, escaping, or filtering of the content provided in $ARGUMENTS before it is used to drive the agent's actions.
[Command Execution] (MEDIUM): The skill specifically instructs the agent to execute compiler and test suite commands. While these are functional requirements for a development skill, they provide an execution vector for any malicious code injected through the tasks argument.
[Data Exposure] (LOW): The skill references internal configuration files located in .claude/skills/shared/. While this is part of its operational logic, it exposes the path structure and content of internal agent protocols to the processing context.

cook-hard