The Agent Skills Directory

[COMMAND_EXECUTION]: The skill leverages the Bash tool to perform implementation steps. While the default workflow includes a user confirmation phase, the inclusion of a --no-confirm flag allows the agent to execute arbitrary shell commands automatically based on the generated plan.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted data which then influences high-privilege tool usage.
Ingestion points: The --task argument and any files or directories provided via the --context argument serve as entry points for potentially malicious instructions (SKILL.md).
Boundary markers: There are no explicit delimiters or instructions provided to the LLM to ignore or sanitize embedded instructions within the ingested context files.
Capability inventory: The skill has access to a powerful suite of tools including Bash, Write, Edit, and Read, which could be abused if the planning phase is compromised.
Sanitization: The instructions do not define any sanitization, filtering, or validation logic for the content read from external paths before it is used to generate the execution plan.

opusplan