The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill possesses a high-severity attack surface by ingesting untrusted data and exercising filesystem write capabilities. Malicious content in the project or documentation could hijack the agent's logic.\n- Ingestion points: Processes the local project filesystem for tech stack signals and fetches external tech documentation via Context7 MCP.\n- Boundary markers: No explicit markers are defined in the workflow to isolate untrusted data from system instructions.\n- Capability inventory: Capability to create multiple markdown files (AGENTS.md, PLAN.md, architecture.md, etc.), create directories (.docs/), and create filesystem symlinks (CLAUDE.md).\n- Sanitization: No evidence is provided of content sanitization or validation before data is processed by the LLM for generation.\n- External Downloads (MEDIUM): The skill fetches documentation at runtime from arbitrary external websites via Context7. This source is not on the trusted external sources list, making it a vector for data poisoning.\n- Command Execution (MEDIUM): The workflow involves automated directory creation, multiple file writes, and symlink creation. These filesystem side effects represent significant capabilities that could be redirected by a successful prompt injection attack.

create-project-agency