implement

The SKILL.md file defines an orchestration process for implementing tasks. It primarily instructs the LLM on how to manage a workflow, parse arguments, and invoke sub-agents.

1. Prompt Injection: The skill uses keywords like "CRITICAL" and "IMPORTANT" extensively, but always in a self-referential manner to instruct the LLM on its own behavior and constraints (e.g., "CRITICAL: You Are an ORCHESTRATOR ONLY"). These are not attempts to bypass safety guidelines or inject malicious prompts into the LLM's core behavior. This is considered benign.

2. Data Exfiltration: No patterns indicating data exfiltration were found. The skill uses git diff --name-only and ls commands to inspect local file system state, but these are for legitimate task management and change detection, not for sending sensitive data to external, untrusted domains. There are no curl or wget commands targeting non-whitelisted domains with sensitive data.

3. Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, etc.) were detected in the skill definition.

4. Unverifiable Dependencies: The skill itself does not directly install external packages (e.g., npm install, pip install). It references internal scripts and prompts via ${CLAUDE_PLUGIN_ROOT}/prompts/judge.md, which are assumed to be part of the trusted plugin environment. Therefore, no unverifiable external dependencies are introduced by this skill definition.

5. Privilege Escalation: No commands like sudo, chmod 777, or modifications to system-level configuration files (/etc/) were found.

6. Persistence Mechanisms: No attempts to establish persistence (e.g., modifying .bashrc, crontab, authorized_keys) were detected.

7. Metadata Poisoning: The name and description fields at the top of the skill are benign and accurately reflect the skill's purpose.

8. Indirect Prompt Injection: The skill processes user-provided $ARGUMENTS and reads a $TASK_PATH file. The content of this task file is then used to construct prompts for sub-agents (sdd:developer). While the orchestrator is explicitly instructed to "MUST NOT read any other files for the rest of execution" beyond initial parsing, the sub-agents will process parts of the task file (e.g., rubrics, step descriptions). A maliciously crafted task file could potentially influence the behavior of these sub-agents. However, this is an inherent risk of any skill designed to process user-defined content, and the orchestrator's strict instructions aim to contain this risk. Given the skill's purpose, this is considered an acceptable, managed risk.

9. Time-Delayed / Conditional Attacks: No explicit time-delayed or conditional triggers for malicious actions were identified.

Command Execution: The skill describes the execution of standard shell commands like git diff, git mv, mv, and ls. These commands are used for legitimate file system operations within a controlled directory structure (.specs/tasks/). More significantly, the skill's core function is to "Launch sdd:developer agent(s)" for implementation and verification. These agents are described as having capabilities to "run tests, check imports, validate syntax," implying they perform command execution. However, the SKILL.md itself is an orchestrator, and it constructs specific, structured prompts for these agents, referencing internal scripts. This is functional command execution, not arbitrary or malicious command injection by the orchestrator itself. The commands are fixed and serve the skill's intended purpose within a defined scope.

Conclusion: The skill is well-structured with clear instructions and internal safeguards for the orchestrator. The commands executed are part of its legitimate functionality and are not arbitrary or malicious. The potential for indirect prompt injection from a malicious task file is an inherent design consideration, but the skill's strict orchestration rules aim to mitigate this.