The Agent Skills Directory

[PROMPT_INJECTION]: The skill has a significant attack surface for indirect prompt injection. It retrieves data from an external project management tool (via pm-context) and interpolates it into prompts for agents that have code-modification privileges.
Ingestion points: The planning.md and executing.md files describe processes for fetching epic details, work item summaries, and acceptance criteria from an external PM tool.
Boundary markers: The templates in prompts/code-analysis.md and prompts/execution-agent.md use structural markers like # CONTEXT and Acceptance Criteria: {ACCEPTANCE_CRITERIA}, but they lack explicit instructions to the LLM to ignore or escape any instructions embedded within these external data strings.
Capability inventory: The sub-agents (engineering-agent, code-analysis-agent) are granted capabilities to search the codebase (Glob/Grep), read files, and write/modify code.
Sanitization: No sanitization, filtering, or validation is performed on the data fetched from the PM tool before it is utilized in agent prompts.
[COMMAND_EXECUTION]: In reviewing.md, the skill describes a workflow that executes shell commands such as npm test or pytest to validate work. This execution path is inherently risky if the preceding 'execution' phase (where agents modify the codebase) is influenced by malicious instructions from a compromised PM tool.
[REMOTE_CODE_EXECUTION]: The orchestration of agents to generate and modify source code, followed by the execution of that code (or tests targeting it), effectively establishes a dynamic execution pipeline. If an attacker can inject malicious implementation requirements into a work item, the engineering agent may implement those instructions, which are then executed during the validation phase.

managing-sprints