The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): Shell command injection vulnerability in bash functions. The variables $old_name and $file_updated are directly interpolated into shell commands inside record_refactoring, update_refactoring_progress, and validate_refactoring without proper escaping or sanitization.
Evidence in SKILL.md: $(rg --files-with-matches "\b$old_name\b" --type ruby 2>/dev/null | head -20 || echo "None detected") within a subshell interpolation.
Evidence in SKILL.md: bd comment $TASK_ID "... $file_updated ..." uses raw variable expansion.
Risk: An attacker can execute arbitrary commands by setting a refactoring name like "; touch exploit; " which would be evaluated by the shell when the skill runs its logging or validation functions.
[INDIRECT_PROMPT_INJECTION] (LOW): The skill possesses a surface for indirect prompt injection by ingesting file contents and outputting them to a task tracker.
Ingestion points: File system via rg (ripgrep) searching for patterns.
Boundary markers: Absent. Data is placed directly into Markdown comments for the bd command.
Capability inventory: File system read/write (rg, mv, sed), Command execution (bd CLI), Network communication (via bd).
Sanitization: Absent. No filtering of the data returned by rg before it is sent to the external task tracker.

Refactoring Workflow