The Agent Skills Directory

[PROMPT_INJECTION]: The skill orchestrates an autonomous loop that processes untrusted PRD documents and interpolates their content into prompts for sub-agents. 1. Ingestion points: Markdown PRD files or 'prd.json' at the project root. 2. Boundary markers: The prompt template uses structural headers (e.g., '## 用户故事') but lacks explicit instructions to ignore malicious directives potentially embedded in the PRD text. 3. Capability inventory: Orchestrator and sub-agents have access to filesystem operations, shell execution (git, npm, jq), and sub-agent spawning. 4. Sanitization: No validation or sanitization of PRD content is performed.
[COMMAND_EXECUTION]: The skill constructs and executes shell commands, such as 'git checkout', using values extracted directly from the 'prd.json' file. This pattern is susceptible to command injection if fields like 'branchName' contain shell metacharacters.

ralph-yolo