The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface by ingesting untrusted multimodal data ($ARGUMENTS) and using it to drive complex workflows.
Ingestion points: Untrusted content enters via the <screenshot> tag in SKILL.md.
Boundary markers: The use of XML-style tags is insufficient to prevent the vision model from following instructions rendered textually or contextually within the screenshot or video.
Capability inventory: The agent is explicitly instructed in the workflow to "Create a directory" and write several files (plan.md and multiple phase-specific markdown files). This combination of untrusted input and file-system write access is a high-risk pattern.
Sanitization: The skill lacks any instructions for the agent to sanitize or ignore instructions found within the provided media, increasing the likelihood of obedience to an injected prompt.
File System Interaction (MEDIUM): The workflow requires the agent to perform directory and file creation. While functional for design planning, these operations are performed based on instructions derived from the untrusted input, allowing for potential directory traversal or unauthorized file creation if the agent is manipulated.

design-describe