The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection because it is designed to ingest and act upon untrusted external data (Pull Requests via /cto-review and strategic goals) while having access to powerful system tools.
Ingestion points: External data enters the agent's context when it reviews pull requests or decomposes high-level goals into technical tasks as defined in SKILL.md.
Boundary markers: The instructions lack specific delimiters or negative constraints to prevent the agent from following instructions embedded within the data it is analyzing.
Capability inventory: The skill is configured with access to Bash, Read, Glob, and Grep tools (SKILL.md), which could be leveraged if an injection attack successfully manipulates the agent's output.
Sanitization: There is no evidence of input validation, escaping, or filtering of the external data before it is processed by the agent.