The Agent Skills Directory

[Privilege Escalation] (HIGH): The orchestration guides in references/step-4.md and references/team-spawn.md explicitly instruct the agent to spawn sub-agents (Workers) using the mode: "bypassPermissions" parameter. This grants these sub-agents the ability to use powerful tools like Bash and Write without prompting the user for confirmation, which is a direct violation of the least-privilege principle and typical security posture.
[Dynamic Execution] (MEDIUM): The skill utilizes a complex dynamic execution pattern where a 'Coordinator' agent assembles prompts for 'Worker' agents at runtime. These prompts are constructed by inlining content from multiple markdown files (00-TASK_MASTER.md and various NN-TASK.md), leading to a large and complex execution context that is difficult to audit statically.
[Indirect Prompt Injection] (LOW): The skill processes untrusted user data to drive its automated workflow, creating an injection surface.
Ingestion points: The file .ai/tasks/<TASK_ID>/00-user-prompt.md serves as the primary entry point for user-controlled data.
Boundary markers: The system relies on standard Markdown headers (e.g., '## Requirements') but lacks robust delimiters or explicit instructions to ignore potentially malicious commands embedded within the user's requirements.
Capability inventory: The skill possesses broad capabilities, including full filesystem access via Bash (Read, Write, Edit, Glob, Grep) and the ability to spawn and manage other AI agents.
Sanitization: There is no evidence of sanitization or validation of the user input before it is consumed by the 'Requirements Analyst' agent or subsequently inlined into 'Worker' prompts.
[Command Execution] (SAFE): The scripts/task.sh script is used for local task management (status tracking and file initialization). While it uses sed to modify configuration files, its behavior is scoped to the skill's own task directory.

feature-workflow