The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes and follows instructions from external plan files without sanitization. The directive in SKILL.md to 'Follow each step exactly' creates a risk if the plan content is attacker-controlled or contains malicious commands.\n- Ingestion points: Implementation plans are read from the filesystem (e.g., Plan.md or docs/plans/) as described in the Step 1 workflow in SKILL.md.\n- Boundary markers: No specific delimiters or safety instructions are used to distinguish plan content from systemic agent instructions.\n- Capability inventory: The skill is capable of modifying multiple files and executing verification commands as defined by the steps in the plan.\n- Sanitization: There is no evidence of validation or filtering of plan content before execution to prevent the implementation of harmful steps.

executing-plans