The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill ingests untrusted data from local PRD files and source code and uses it to generate design documentation and GitHub Issues. This creates a surface where malicious instructions in a PRD or code comment could influence the agent's behavior.
Ingestion points: Reads .claude/cx/features/{dev_id}-{feature}/prd.md and scans local source code using an 'Explore subagent'.
Boundary markers: No explicit delimiters or instructions to ignore embedded commands in the ingested data were found.
Capability inventory: Executes shell commands (git, jq), writes to the local filesystem (design.md), and performs network operations (GitHub Issue creation via github_sync).
Sanitization: No sanitization or validation of the content extracted from PRDs or source code is performed before it is used in prompts or sent to GitHub.
[Command Execution] (MEDIUM): The skill uses shell commands to resolve the project environment and read configuration data.
Evidence: PROJECT_ROOT=$(git rev-parse --show-toplevel) and jq -r '.developer_id' "$PROJECT_ROOT/.claude/cx/config.json" are executed during the initialization step.
[Data Exfiltration] (MEDIUM): Content derived from the local environment, including potential secrets if leaked into PRDs or code, can be transmitted externally via the GitHub synchronization feature.
Evidence: Step 5 explicitly supports creating GitHub Issues based on the generated design content when config.github_sync is enabled.

cx-design