The Agent Skills Directory

[COMMAND_EXECUTION]: The sprint.sh complete command accepts a user-provided --artifact path which is passed directly to the ln command without validation or restriction to the project directory. An agent or a malicious task could specify sensitive system files (e.g., ~/.ssh/id_rsa or .env files) to be symlinked into the .nanostack/conductor/ directory, potentially exposing them to other processes or agents. Evidence: ln -snf "$artifact" "$phase_dir/artifact.json" in bin/sprint.sh.
[PROMPT_INJECTION]: The skill implements a 'Phase Protocol' (Category 8) where agents pass context through 'context_checkpoint' artifacts containing fields like summary and decisions_made. This creates an indirect prompt injection surface where a compromised or malicious agent in an early phase could inject instructions into the checkpoint to manipulate the behavior of agents in later phases. Mandatory Evidence Chain: 1. Ingestion points: bin/restore-context.sh (as described in SKILL.md). 2. Boundary markers: None described in the protocol. 3. Capability inventory: Command execution via bin/sprint.sh and other referenced scripts in SKILL.md. 4. Sanitization: No sanitization of checkpoint content is mentioned.

conductor