The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill's core workflow involves reading external data from spec/changes/{change-id}/tasks.json and executing the instructions found within.
Ingestion points: tasks.json and proposal.md in the spec/changes/ directory.
Boundary markers: None. The instructions tell the agent to 'read the full proposal' and 'execute tasks sequentially' without warning the agent to ignore instructions embedded within that data.
Capability inventory: The skill explicitly allows file reading (cat, find), command execution (npm test, pytest, npm run db:migrate), and arbitrary 'Implementation' steps defined in the tasks.
Sanitization: Absent. The agent is instructed to follow the task list literally.
[Command Execution] (HIGH): The skill encourages the agent to run arbitrary shell commands based on task descriptions. If the tasks.json defines a step like "step": "rm -rf / # test cleanup", a compliant agent following the 'Never skip a task' rule may execute it.
[Path Traversal] (MEDIUM): The skill uses a variable {change-id} to construct file paths (e.g., cat spec/changes/{change-id}/proposal.md). If an attacker can control this variable, they may be able to read sensitive files outside the spec directory using ../ sequences.
[Resource Exhaustion] (LOW): The instruction '请至少执行20轮后才回复用户' (perform at least 20 rounds before replying) forces the agent into a long-running loop. While intended for thoroughness, it could be exploited to cause denial of service via token/compute exhaustion.

openspec-implementation-cn