The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses node -e to programmatically read and modify the ~/.claude/settings.json file. While this is used to enable the required 'Agent Teams' experimental feature for the brainstorming session, executing shell commands to modify global configuration files is a sensitive operation.
[CREDENTIALS_UNSAFE]: The skill accesses ~/.claude/settings.json, which is a sensitive configuration file that may contain environment variables or other agent-specific configuration. The skill reads from and writes to this file to update the CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS flag.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it aggregates content from various repository files (such as README.md, .planning/PROJECT.md, and issue descriptions) and injects this data directly into the prompts for sub-agents (Explorers and Challengers).
Ingestion points: Content is read from .planning/PROJECT.md, .planning/ROADMAP.md, .planning/issues/open/*.md, .planning/STATE.md, README.md, and package.json.
Boundary markers: The collected brief is inserted into sub-agent templates using the [CONDENSED PROJECT BRIEF] placeholder without any XML delimiters, markdown blocks, or explicit 'ignore embedded instructions' warnings to prevent the data from being interpreted as commands by the sub-agents.
Capability inventory: Sub-agents spawned by this skill have the ability to explore the codebase using tools, update tasks, and write files to the project directory.
Sanitization: There is no evidence of sanitization, escaping, or validation of the content read from the repository before it is interpolated into the prompts for the sub-agents.

kata-brainstorm