The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from the repository and user inputs. \n- Ingestion points: The skill reads user-provided feature descriptions via the #$ARGUMENTS placeholder in SKILL.md. It also performs an 'Existing Context Scan' (Phase 1.1), reading repository instruction files (e.g., AGENTS.md) and existing requirements documents (*-requirements.md). \n- Boundary markers: The skill uses basic XML-like tags (<feature_description>) to wrap user input but lacks explicit, robust delimiters or instructions to ignore instructions embedded within the workspace files it scans. \n- Capability inventory: The agent can write requirements documents to the local filesystem (docs/brainstorms/) and trigger subsequent implementation workflows via the ce-plan and ce-work skills. \n- Sanitization: While the workflow includes 'Product Pressure Tests' and 'Rigor Probes' to validate user intent and scope, it does not employ specific security sanitization to filter or escape potentially malicious instructions embedded in the ingested content. \n- [DATA_EXFILTRATION]: The skill includes functionality to export requirements documents to a cloud-based review service. \n- Evidence: The handoff.md reference describes the ce-proof skill, which uploads the requirements document to Every's Proof editor for collaborative feedback. \n- Context: This transfer is a primary, documented feature provided by the skill's vendor (EveryInc). It involves exporting project data to the vendor's own infrastructure and does not involve unauthorized data movement or credential exposure.

ce-brainstorm