The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because its discovery policy directs the agent to proactively ingest content from external web sources and local untrusted files (e.g., READMEs, GitHub Issues, and third-party documentation). * Ingestion points: Reads local project context (README, tasks, issues) and official external web docs. * Boundary markers: The instructions lack delimiters or specific warnings to ignore embedded commands within ingested data. * Capability inventory: The agent can read local files, access the web, and write markdown files to the 'tasks/' directory. * Sanitization: There is no process for validating or escaping external content before it enters the agent's context.
[DATA_EXFILTRATION]: The skill's 'Discovery Policy' explicitly instructs the agent to inspect sensitive file surfaces including 'permissions' and 'config'. While intended for planning, this access exposes the risk that environment secrets, API keys, or access control configurations are included in the generated PRD or exposed during the agent's external lookup processes.

prd