The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's workflow depends on executing shell commands defined in the configuration, specifically via the items.api and evidence.capture fields. There is no validation or sanitization of these commands before execution.
[REMOTE_CODE_EXECUTION]: The reporting step uses the bd tool to post comments. The command bd comment {item.id} --body "{verdict}" interpolates values that may originate from untrusted external sources (item metadata or audit results) without escaping, creating a risk of shell command injection.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted data (audit items, standards documents, and evidence artifacts) and uses it to drive the evaluation logic without defined boundary markers or sanitization.
Ingestion points: Item lists from items.api or files, standards.doc, and various evidence types such as source-read and test-run outputs in SKILL.md.
Boundary markers: Absent. The pipeline does not implement delimiters or instructions to ignore embedded commands within the ingested evidence.
Capability inventory: The skill has access to Bash, Read, Write, Edit, Glob, Grep, and Task tools, which are active during the ingestion and evaluation phases.
Sanitization: Absent. There is no evidence of input validation, output escaping, or content filtering for data processed during the audit workflow.

workflow-quality-audit