The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it interpolates unvalidated user strings into the core instruction prompt without robust boundary markers.
Ingestion points: User-supplied fields in SKILL.md such as curriculum_topic, learner_stage, discipline_or_subject, knowledge_baseline, existing_learning_targets, and thinking_focus.
Boundary markers: The prompt uses bold headers to label inputs but lacks formal delimiters (e.g., XML tags or clear isolation markers) to prevent user-supplied text from being interpreted as instructions by the underlying model.
Capability inventory: The skill does not possess any dangerous capabilities; it has no file system access, network connectivity, or subprocess execution tools across any of its components.
Sanitization: There is no evidence of input validation, escaping, or sanitization performed on the user-provided data before it is inserted into the prompt template.

critical-thinking-task-designer