The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill is highly susceptible to indirect prompt injection. Its agents ingest untrusted content from the codebase and logs while possessing the ability to execute system commands and modify files. If a source file contains malicious instructions in comments, the agent may execute them.
Ingestion points: Agents use Read, Glob, and Grep to ingest content from source files, error logs, and git diffs across all 7 specialized agents.
Boundary markers: No delimiters or safety instructions are used to separate untrusted user data from agent instructions in the prompts, allowing embedded malicious commands to potentially hijack the agent's behavior.
Capability inventory: Agents are equipped with Bash, Write, Edit, and Task tools, providing a significant impact surface (RCE and file destruction) if an injection occurs.
Sanitization: There is no evidence of sanitization, validation, or filtering of external content before it is interpolated into the agent prompts.
COMMAND_EXECUTION (MEDIUM): Several agents are designed to execute arbitrary shell commands based on project state or build configurations.
Evidence: build-verifier.md explicitly executes rm -rf dist && npm run build. test-runner.md is designed to run arbitrary test suites via the shell. This allows malicious scripts defined in a project's package.json or build configuration to be executed automatically by the agent when a user asks to 'verify the build' or 'run tests'.

developer-toolbox