The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill implements a workflow that consumes external data with high-privilege capabilities.
Ingestion points: The skill reads [plan-file] contents in Step 1 (Load Plan) and Step 2 (Execute Task).
Boundary markers: No explicit delimiters (e.g., XML tags or triple backticks) or 'ignore embedded instructions' warnings are provided when interpolating task descriptions into subagent prompts.
Capability inventory: Subagents are granted 'general-purpose' tools to 'Implement', 'Write tests', 'Verify implementation', and 'Commit'. This implies full access to the file system, subprocess execution, and git operations.
Sanitization: There is no evidence of sanitization or validation of the plan content before it is processed by the agent or subagents.
Command Execution & RCE (HIGH): The core purpose of the skill is to have subagents 'Verify implementation works' and 'Follow TDD', which involves executing code and running test suites. When combined with the lack of input validation on the plan files, this allows for the execution of arbitrary commands if a malicious plan is provided.
Subagent-Driven Exposure (MEDIUM): The skill relies on sub-skills like finishing-a-development-branch and requesting-code-review. While these provide quality gates, the initial implementation subagent operates with high trust and low oversight before the first review checkpoint, creating a window for malicious persistence or data exfiltration.

subagent-driven-development