The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. It retrieves untrusted design context from external Figma URLs through the get_design_context MCP tool (references/actions/structure.md, references/actions/dev.md). Ingestion points: Figma design context is fetched and used to drive code generation. Boundary markers: The logic does not specify delimiters or instructions to ignore potential commands embedded in the fetched design data. Capability inventory: The skill can read/write files and execute shell commands such as lint and typecheck as part of the implementation ship loop (SKILL.md, references/actions/dev.md). Sanitization: There is no mention of sanitizing the design data before it is processed by the agent.
[COMMAND_EXECUTION]: The skill executes local shell commands during development and audit phases. Evidence: The dev action (references/actions/dev.md) automatically runs lint and typecheck commands. The audit action (references/actions/audit.md) uses grep and glob to scan local files. These capabilities, while standard for a developer tool, could be leveraged if the agent's instructions are overridden via an injection attack.

component