The Agent Skills Directory

[COMMAND_EXECUTION]: Potential command injection in scripts/check-prerequisites.sh. The script executes eval $(get_feature_paths), where get_feature_paths (defined in scripts/common.sh) generates shell variable assignments using metadata derived from the file system. In scripts/common.sh, the get_feature_paths function includes CURRENT_BRANCH='$current_branch' in a heredoc. If a repository branch name or directory in the specs/ folder contains shell metacharacters (e.g., ' ; touch /tmp/pwned ; '), the eval call in check-prerequisites.sh will execute the injected commands.
[PROMPT_INJECTION]: Risk of indirect prompt injection during specification scanning. The skill reads the content of FEATURE_SPEC (typically spec.md) in SKILL.md Step 2 to perform an ambiguity scan. No explicit delimiters or instructions to ignore embedded commands are used when the agent processes the specification content. The skill has the capability to execute local shell scripts (scripts/check-prerequisites.sh) and perform file write operations (FEATURE_SPEC update in Step 7). There is no evidence of sanitization or filtering applied to the text read from the specification files before it is processed by the LLM.

speckit-clarify