The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes dynamic context injection (!command) to execute shell commands when the skill is loaded into the agent context. The user-provided PRP name argument is interpolated directly into these shell commands without sanitization, leading to a command injection vulnerability. Evidence: !grep -m1 "^confidence:" docs/prps/${1:-unknown}.md and !find . -maxdepth 1 -name 'docs/prps/${1:-unknown}.md' in SKILL.md.- [COMMAND_EXECUTION]: The skill's primary workflow involves parsing and executing arbitrary shell commands from external markdown files (PRPs). This allows for code execution if a user processes a malicious PRP file from an untrusted source. Evidence: Linting gate: [command from PRP] and Step 4: Run comprehensive final validation in SKILL.md.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests implementation requirements from external PRP files and documentation to drive its logic and code generation. 1. Ingestion points: docs/prps/{prp-name}.md, ai_docs entries. 2. Boundary markers: No delimiters or warnings are used to isolate untrusted content. 3. Capability inventory: The skill has access to high-privilege tools including Bash, Task, Write, and Edit. 4. Sanitization: No input validation or sanitization is performed on the ingested content.

blueprint-prp-execute