The Agent Skills Directory

[COMMAND_EXECUTION]: The skill explicitly instructs the agent to execute shell commands to run tests.\n- Evidence: Rule 12 states: "After writing tests, always run the full ${testFile} suite (e.g. npm test -- ${testFile})."\n- Risk: This instruction creates an execution path for shell commands using variable input. If the ${testFile} parameter is maliciously crafted to include shell metacharacters, it could result in arbitrary command injection on the host system.\n- [COMMAND_EXECUTION]: The agent is instructed to execute code that it has dynamically generated or modified.\n- Evidence: The skill directs the agent to "update the real ${testFile} on disk" and then immediately execute it using the test runner.\n- Risk: This is a high-risk pattern where an agent could be manipulated (via prompt injection or complex logic) into writing and then executing malicious code within the test suite.\n- [PROMPT_INJECTION]: The skill has a significant attack surface for indirect prompt injection from the source code it processes.\n- Ingestion points: The content of the ${sourceFile} (implementation file) and the ${targetCode} (class/method name) are provided as context to the agent.\n- Boundary markers: The instructions do not define boundary markers or delimiters to help the agent distinguish between its own instructions and the content of the untrusted code being analyzed.\n- Capability inventory: The agent possesses powerful capabilities including file system write access (${testFile}) and shell command execution (npm test).\n- Sanitization: There is no requirement for the agent to sanitize or validate the content of the source files before incorporating them into the prompt or the generated test code.

test-from-target