The Agent Skills Directory

[PROMPT_INJECTION]: The skill contains an indirect prompt injection surface (Category 8) where untrusted data from project specifications is used to update persistent AI agent instruction files. Ingestion points: The skill reads project data from FEATURE_SPEC (spec.md) and IMPL_PLAN (plan.md). Boundary markers: The agent files use markers to separate automated content, but these do not prevent injected instructions within those sections from affecting agent behavior. Capability inventory: The skill modifies persistent context files including CLAUDE.md, GEMINI.md, and Cursor rules, which define project-wide instructions. Sanitization: Content extracted from plans is partially escaped for shell operations but is not validated for malicious natural language instructions.\n- [COMMAND_EXECUTION]: The skill executes local shell scripts that utilize eval to process path variables. These variables are derived from the environment and the current branch name, which could allow for local command injection if the environment is manipulated.

speckit-plan