The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the shell command rm -rf to permanently delete files within the ./plans/ directory. Although this behavior is subject to user confirmation in Step 3, the execution of destructive system commands based on directory contents is a high-privilege operation.
[PROMPT_INJECTION]: The skill processes untrusted data by reading and summarizing the contents of files in the plans/ directory (specifically plan.md and phase-*.md). This exposes the agent to indirect prompt injection if those files contain malicious instructions.
Ingestion points: The agent reads plans/plan.md and the first 20 lines of all plans/phase-*.md files in Step 1.
Boundary markers: Absent. The instructions do not provide delimiters or warnings to the agent to ignore any embedded instructions found within the plan files.
Capability inventory: The skill possesses the ability to delete files (rm -rf), perform Git operations (staging, committing, and pushing via /commit and /git-cp), and spawn sub-agents (the journal-writer sub-agent via the Task tool).
Sanitization: Absent. No validation, escaping, or filtering of the content read from the plan files is performed before it is passed to the summarization and journaling steps.

plan-archive