The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because user-provided metadata (project name, description, and tech stack) is directly interpolated into subagent system prompts. \n- Ingestion points: Project details are collected via the AskUserQuestion tool in SKILL.md. \n- Boundary markers: XML-like tags (e.g., <project_context>) are used, but no instructions are provided to the subagent to treat this content as untrusted or to ignore embedded commands. \n- Capability inventory: Subagents (such as the Project Manager or Moderator) are granted 'bypassPermissions' and have access to powerful tools like Read, Write, and Agent. \n- Sanitization: There is no evidence of validation or sanitization for user-supplied strings before they are used in prompt construction.\n- [COMMAND_EXECUTION]: The skill delegates high-privilege capabilities by creating subagents with mode: "bypassPermissions". This allows these agents to execute file management tools and create further agents without requiring explicit user confirmation for each action, amplifying the risk if an agent is successfully subverted via prompt injection.\n- [COMMAND_EXECUTION]: The skill constructs file paths using user-controlled input (project name and working directory) to save team configuration profiles (Step 6 of SKILL.md) without validating for directory traversal sequences like ../. This creates a risk of unauthorized file writes to sensitive locations on the host system.

team-init