The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): Unsafe shell interpolation in bash commands and jq filters. Throughout the execution flow (Stages 2, 7, 8, and 9), shell variables like ${task_number}, ${session_id}, and ${project_name} are interpolated directly into shell strings or jq filters. \n
Evidence: Stage 9 executes git commit -m "... ${session_id} ..." without escaping. A malicious session ID could execute arbitrary commands. \n
Evidence: Stage 8 uses select(.project_number == '$task_number') in a jq filter, which can be used to bypass logic if the variable is manipulated. \n- [COMMAND_EXECUTION] (MEDIUM): Path traversal vulnerability. Stage 3 constructs directory paths using ${project_name} without validation. \n
Evidence: mkdir -p "specs/${padded_num}_${project_name}". If project_name is influenced by untrusted research data processed by the subagent and contains ../ sequences, files could be written outside the intended directory. \n- [COMMAND_EXECUTION] (MEDIUM): Shell execution in unquoted heredocs. Stage 3 uses a cat << EOF heredoc to write a marker file. \n
Evidence: Variables like ${session_id} inside the heredoc are subject to shell expansion. If they contain $(...) or backticks, the shell will execute those commands immediately. \n- [PROMPT_INJECTION] (LOW): Indirect prompt injection surface via subagent delegation. \n
Ingestion points: The skill reads state.json (Stage 1) and .return-meta.json (Stage 6), the latter being produced by a subagent that processes untrusted research findings. \n
Boundary markers: Absent; there are no delimiters or instructions to the subagent to ignore instructions within the research data. \n
Capability inventory: The skill possesses significant capabilities including bash execution, jq state modification, and git operations. \n
Sanitization: Absent; data retrieved from external/subagent sources is used directly in sensitive command-line operations without escaping or type-checking.

skill-planner