The Agent Skills Directory

PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection because it ingests untrusted plan data into subagent prompts. * Ingestion points: Task descriptions are extracted from plan files and interpolated into implementer-prompt.md and spec-reviewer-prompt.md. * Boundary markers: The prompts use standard Markdown headers (e.g., ## Task Description) but do not employ strict XML-style delimiters or explicit instructions to the agent to ignore embedded instructions within the task text. * Capability inventory: Subagents are granted capabilities to implement code, write files, execute tests, and commit changes to the repository. * Sanitization: There is no evidence of sanitization or validation of the task text before it is presented to the subagent.
COMMAND_EXECUTION (LOW): The skill's primary function involves subagents writing and executing code dynamically. * Mechanism: implementer-prompt.md explicitly directs the subagent to 'Implement exactly what the task specifies' and 'Write tests', leading to the execution of generated scripts. * Context: While this is the intended purpose of the skill, it represents a surface for unintended command execution if the input task description is maliciously crafted to exploit the subagent's capabilities.

subagent-driven-development