The Agent Skills Directory

[Indirect Prompt Injection] (LOW): The skill is designed to ingest and aggregate data from large, untrusted external sources (codebases, documents, PRDs) which presents a vulnerability surface.
Ingestion points: Data enters the agent's context through view_file, grep, and glob operations across entire directories as specified in SKILL.md and references/document-aggregation.md.
Boundary markers: There are no explicit instructions for the agent to wrap processed content in delimiters or use "ignore embedded instructions" markers for sub-agents.
Capability inventory: The skill employs run_command (for grep), view_file, and a task tool for spawning recursive sub-agents.
Sanitization: No sanitization or escaping of external content is specified before the data is processed by sub-agents.
[Command Execution] (SAFE): The use of system commands (grep, ls, wc, glob) is restricted to information retrieval and file analysis consistent with the skill's stated purpose.
[Prompt Injection] (SAFE): The instructions emphasize task decomposition and context management; no attempts to bypass safety filters or override system-level constraints were identified.
[Metadata Poisoning] (SAFE): While the references to future research (2025) and models (GPT-5) appear to be fictional or synthesized, they serve as illustrative frameworks for the skill's logic and do not deceive the user regarding the skill's security or capabilities.

recursive-decomposition