The Agent Skills Directory

[PROMPT_INJECTION]: Detected an indirect prompt injection surface where untrusted data from implementation plans is processed by subagents. 1. Ingestion points: Task text is extracted from plan files (referenced in SKILL.md) and interpolated into subagent prompts in implementer-prompt.md and spec-reviewer-prompt.md. 2. Boundary markers: The prompt templates use structural markdown headers to isolate task descriptions but lack explicit boundary markers or instructions for the subagent to ignore potential control sequences within the task text. 3. Capability inventory: The implementer subagent has the capability to write files, create commits, and run tests (which involves command execution via the general-purpose tool). 4. Sanitization: No sanitization or schema validation is applied to the task descriptions before they are passed to the subagents. 5. Mitigation: The risk is mitigated by the skill's mandatory two-stage review process, where a separate 'spec-reviewer' subagent is explicitly instructed to verify the code against the requirements without trusting the implementer's report.

subagent-driven-development