The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/check-prerequisites.sh executes eval on the output of the get_feature_paths function defined in scripts/common.sh. The get_feature_paths function constructs shell variable assignments such as CURRENT_BRANCH='value'. Because these values are derived from environment variables, git branch names, or directory names on the local file system, an attacker could potentially inject arbitrary shell commands by including a single quote and a command separator in one of these strings, thereby breaking out of the quoted assignment during eval.
[PROMPT_INJECTION]: The skill defines a workflow to create an actionable task list for an agent by reading and processing content from external markdown files like plan.md and spec.md. This ingestion process constitutes an indirect prompt injection surface. Ingestion points: The skill reads from multiple documents within the FEATURE_DIR as specified in SKILL.md. Boundary markers: The skill does not implement boundary markers or instructions to ignore instructions embedded within the processed documentation. Capability inventory: The output is designed to be a tasks.md file for immediate execution by an agent, which typically possesses capabilities like file system access and shell execution. Sanitization: The skill lacks any sanitization or validation of the input text before organizing it into the final task list.

speckit-tasks