The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes data from external subagents without appropriate safeguards.
Ingestion points: The skill ingests files_modified lists and story title strings from RALPH_DONE signals provided by other agents.
Boundary markers: There are no explicit boundary markers or instructions telling the agent to treat the RALPH_DONE data as untrusted or to ignore instructions embedded within those fields.
Capability inventory: The skill has the capability to run git diff, git add, and git commit commands.
Sanitization: There is no requirement or logic to sanitize or escape the inputs before they are used in shell command templates.
[COMMAND_EXECUTION]: The skill dynamically constructs shell commands using untrusted data from external signals.
In Step 4, the instructions mandate building a git add command using the files_modified list and a git commit command using the story title provided in the RALPH_DONE signal. If these inputs contain shell metacharacters (e.g., semicolons, backticks, or pipes), they could potentially be exploited to execute arbitrary commands depending on how the agent's execution environment handles shell escaping.

documenter