The Agent Skills Directory

[DYNAMIC_EXECUTION]: The skill references and executes a script (spec-driven.js) located at a path constructed using relative navigation (../../dist/scripts). This technique, indicated by the content of the 'scripts' file, allows the skill to load and run executable code from outside the skill's sandbox or intended directory structure, which is a significant security risk if the environment is not strictly isolated.- [COMMAND_EXECUTION]: The skill directly invokes shell commands such as ls to verify directory existence and node to execute the management scripts. These commands operate on the local filesystem and carry the risk of broader system interaction.- [COMMAND_EXECUTION]: The skill performs destructive operations by permanently deleting directories and files within the .spec-driven/changes/ path. While it includes a confirmation step, the reliance on a user-provided or dynamically discovered <name> parameter creates a potential surface for path traversal attacks if the underlying Node.js script does not rigorously sanitize the input.- [INDIRECT_PROMPT_INJECTION]: The skill processes data (active changes) discovered from the filesystem to populate choices for the user.
Ingestion points: The output of node scripts/spec-driven.js modify is used to identify which change to delete.
Boundary markers: There are no explicit boundary markers or instructions to ignore malicious content within change metadata.
Capability inventory: The skill has the capability to execute shell commands and delete files.
Sanitization: Sanitization logic is contained within the external script and cannot be verified, leaving the agent vulnerable to instructions embedded in project file names or change descriptions.

spec-driven-cancel