The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill's core workflow relies on the agent reading and following instructions from task_plan.md and notes.md to refresh its 'attention window'.
Ingestion points: Data enters through notes.md (e.g., from web research as seen in Example 1) and is summarized into the task plan.
Boundary markers: The templates do not use delimiters or instructions to treat the file content strictly as data, increasing the risk that the agent may obey instructions embedded in untrusted research findings.
Capability inventory: The skill uses file-system read/write operations to influence subsequent agent decisions and tool selections.
Sanitization: No sanitization or validation of the external content is prescribed.
Metadata Poisoning (LOW): The reference.md file contains fictionalized information regarding the acquisition of 'Manus' by Meta for $2 billion in December 2025. This is used as a psychological anchoring technique to establish authority and enforce the 'Critical Rules' defined in SKILL.md.

planning-with-files