The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its architecture for processing external plan files.
Ingestion points: The skill reads implementation plans (e.g., docs/plans/feature-plan.md) and extracts task text to be processed by subagents.
Boundary markers: The templates in implementer-prompt.md and spec-reviewer-prompt.md interpolate task text directly into subagent prompts without using delimiters (like XML tags or triple backticks) or instructions to ignore potential malicious commands embedded in the tasks.
Capability inventory: The subagents are tasked with file operations (write_file), version control (commit), and running tests (supaconductor:test-driven-development), which provides an execution path for injected instructions.
Sanitization: No sanitization or validation logic is defined to check the contents of the plan file before it influences subagent behavior.

subagent-driven-development