The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it processes untrusted data from specification files to perform actions. • Ingestion points: Markdown files in .windloop/specs/ or .kiro/specs/ (requirements.md, design.md, tasks.md) and project root files like README.md. • Boundary markers: Missing explicit instructions or delimiters to ignore embedded instructions within the user-provided requirement descriptions. • Capability inventory: The skill has the ability to write files, perform Git operations (add, commit, merge), and execute shell commands. • Sanitization: No sanitization or validation of the input spec content is performed before the agent acts on the instructions.
[COMMAND_EXECUTION]: The skill performs dynamic command execution based on configuration. In references/spec-go.md and references/spec-task.md, the agent is instructed to run test and lint commands parsed directly from the design.md file. This allows for arbitrary command execution if a specification file contains malicious shell commands in the testing strategy section.

spec-driven-dev