The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is instructed to execute arbitrary shell commands found in openspec/config.yaml under the diagnosis_commands key. An attacker could provide a malicious configuration file in a repository to execute commands when the agent performs a diagnosis step.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. Ingestion points: openspec/changes/<change-name>/tasks.md, openspec/config.yaml, and ai-context/*.md. Boundary markers: absent. Capability inventory: subprocess command execution (Step 4.2), file read (Steps 1, 4.1), and file write (Step 5). Sanitization: absent. It treats markers like [WARNING: MUST_RESOLVE] as instructions that block and alter agent behavior.
[DATA_EXFILTRATION]: The skill aggregates project context from files including ai-context/stack.md, architecture.md, and conventions.md. This sensitive architectural and project-specific data is processed and could be exfiltrated if combined with the command execution capabilities.
[REMOTE_CODE_EXECUTION]: The skill dynamically resolves and loads additional instructions from the user's home directory (~/.claude/skills/) based on keywords found in the project's technology stack. This mechanism relies on the integrity of local files which may be outside the primary skill's control.

sdd-apply