The Agent Skills Directory

[PROMPT_INJECTION]: The skill implements an 'Autonomous Execution Policy' that explicitly instructs the agent to ignore standard interactive safety protocols. Evidence includes instructions to 'NEVER pause, stop, or wait for user input' and 'NEVER ask the user questions', which forces the agent to operate without human verification of its actions.
[COMMAND_EXECUTION]: The skill performs shell command execution to verify fixes. Evidence in Step 4.1 specifies running 'all tests using the detected package manager (e.g., npm test)'. This capability allows for execution of arbitrary code defined in the project's configuration files if they are maliciously crafted.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its ingestion of external task files.
Ingestion points: User-provided fix task file paths (SKILL.md, Step 1.1), review-report.md, and project documentation files (prd.md, techspec.md).
Boundary markers: Absent. There are no instructions to the agent to distinguish between its own logic and potentially malicious instructions contained within the task files.
Capability inventory: The skill uses Edit and Write tools to modify any project file and shell tools to execute test scripts.
Sanitization: Absent. The agent is instructed to 'Identify affected files and determine root cause from the fix task description' (Step 2.1) and implement changes based on that description without validation.
Remediation Guidance: To mitigate these risks, the 'Autonomous Execution Policy' should be removed to allow for human review of planned changes. Additionally, when processing fix task files, the skill should use clear XML-style delimiters and explicit instructions to treat the file content as data only, not as executable instructions.

do-execute-review-fix