The Agent Skills Directory

[Indirect Prompt Injection] (LOW): The skill processes untrusted data (feature requests and user stories) to generate implementation plans. This creates a surface for indirect prompt injection where a malicious requirement could attempt to influence the agent's behavior during plan generation.
Ingestion points: The skill reads feature requests, user stories, and product requirements as the primary input (SKILL.md, Step 1).
Boundary markers: None. The instructions do not specify using delimiters or 'ignore embedded instructions' warnings when reading user-provided requirements.
Capability inventory: The skill is restricted to Read, Grep, Glob, and Write tools. It lacks Execute, Shell, or Network tools, which significantly limits the potential impact of an injection.
Sanitization: No sanitization or validation of the input requirement is mentioned before it is processed by the LLM.
[Remote Code Execution] (SAFE): While the skill instructions and templates mention running test commands (e.g., pytest, npm test), these are intended as documentation for the generated plan and are not executed by the skill itself. The skill lacks the necessary tools to execute arbitrary shell commands.
[Data Exposure & Exfiltration] (SAFE): The skill does not access sensitive files (such as credentials or SSH keys) and has no network access to exfiltrate data. Its file access is typically limited to the project source code for mapping affected modules.

project-planner