The Agent Skills Directory

PROMPT_INJECTION (LOW): Indirect Prompt Injection surface identified in the Beads integration.
Ingestion points: The skill executes bd show <id> in steps.md to retrieve context from an external issue tracker.
Boundary markers: No explicit delimiters or instructions are provided to the agent to treat the fetched issue content as untrusted data.
Capability inventory: The skill can perform state-changing operations including bd update, bd create, and writing local files to the plans/ directory.
Sanitization: There is no evidence of sanitization or validation of the data retrieved from the Beads tracker before it is used to generate further commands or documentation.
COMMAND_EXECUTION (LOW): The skill routinely executes external CLI tools (bd, rp-cli) to perform its core functions. While these are documented behaviors, they rely on the agent correctly handling potentially adversarial input from the issue tracker when constructing command arguments for bd update or bd create.

flow-plan