The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes a Node.js script located at a relative path outside the immediate skill directory (../../dist/scripts/spec-driven.js) to perform project initialization. This is a common pattern for shared utilities in development environments.- [DATA_EXFILTRATION]: The skill reads local project files such as package.json and README.md to derive project context. This data is used solely to populate a local configuration file and is presented to the user for review.- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it ingests untrusted project documentation to generate project summaries. \n- Ingestion points: README.md, AGENTS.md, CLAUDE.md, package.json, and pom.xml. \n- Boundary markers: None present to separate project data from instructions. \n- Capability inventory: Shell execution (node) and file system write access. \n- Sanitization: No sanitization of ingested file content is performed.

spec-driven-init