The Agent Skills Directory

[PROMPT_INJECTION]: The skill is designed to ingest and act upon instructions found within the project it is analyzing, which creates a significant attack surface for indirect prompt injection.
Ingestion points: It reads codebase configuration files (e.g., package.json, composer.json) and project-level override rules in '.ai-factory/skill-context/aif/SKILL.md'.
Boundary markers: There are no specified delimiters or instructions to treat data as untrusted, increasing the risk that the agent will follow malicious directives embedded in project files.
Capability inventory: The skill possesses significant capabilities, including filesystem modification, directory creation, and the ability to delete files.
Sanitization: The instructions explicitly command the agent to treat project-specific rules as overrides that 'win' over general instructions, bypassing default safety logic if a malicious project file is present.
[EXTERNAL_DOWNLOADS]: The skill facilitates the acquisition and execution of code from an external repository.
Evidence: It uses 'npx skills install' to fetch additional skills from 'skills.sh'. Although it provides instructions for a two-level security scan (automated script and manual review), the reliance on a non-standard external source introduces supply chain risks.
[COMMAND_EXECUTION]: The skill uses high-risk shell commands that could be misused if the agent's logic is subverted via prompt injection.
Evidence: The 'allowed-tools' includes 'Bash(rm -rf *)'. While intended for managing skill installations and cleanup, this tool provides a mechanism for widespread data loss if triggered by a malicious directive.

aif