The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface in Step 3 and Step 4 where the AI is instructed to inspect and merge 'delta specs' from the .spec-driven/changes/<name>/specs/ directory. Since these files are external data processed as instructions for the merge logic (ADDED, MODIFIED, REMOVED), an attacker could inject instructions within these files to manipulate the AI's behavior during file modification or script execution.
Ingestion points: .spec-driven/changes/<name>/specs/ (SKILL.md, Step 3)
Boundary markers: Absent. The AI is directed to interpret the markdown content of the delta files without delimiters or instructions to ignore embedded commands.
Capability inventory: The skill executes local shell commands via node (modify, apply, archive, verify-spec-mappings) and has the ability to read and write files within the .spec-driven/ directory.
Sanitization: Absent. There is no evidence of validation or escaping for the content retrieved from the delta spec files.
[COMMAND_EXECUTION]: The skill uses unsafe interpolation of the user-provided <name> variable directly into shell commands (e.g., node {{SKILL_DIR}}/scripts/spec-driven.js apply <name>). If a user provides a crafted change name containing shell metacharacters, it could lead to arbitrary command execution as the AI is instructed to use the name without validation.

spec-driven-archive