The Agent Skills Directory

Prompt Injection (LOW): The instruction uses imperative and authoritative language (e.g., 'CRITICAL', 'MANDATORY', 'Think harder') to override default tool usage ('EnterPlanMode'). While formatted similarly to injection patterns, these are functional directives for the planning workflow rather than safety bypasses.
Indirect Prompt Injection (LOW): The skill ingests untrusted user input via the $ARGUMENTS placeholder. 1. Ingestion points: $ARGUMENTS in SKILL.md. 2. Boundary markers: The input is wrapped in tags. 3. Capability inventory: File system access (directory creation, writing 'plan.md') and invocation of subagents ('researcher', 'scout', 'planner'). 4. Sanitization: No explicit sanitization or instructions to ignore embedded commands within the task description are present.

plan-two