The Agent Skills Directory

[PROMPT_INJECTION]: The skill processes an external implementation plan via the path provided in the argument ($0) and interpolates its full content into the system prompts of multiple subagents (Implementer, Reviewer, and Integrator). This configuration is vulnerable to indirect prompt injection if the plan file is sourced from an untrusted origin.
Ingestion points: The plan file is loaded using the Read($0) command in SKILL.md.
Boundary markers: Absent; the content of the plan is directly embedded into subagent prompts without delimiters or instructions to ignore embedded commands.
Capability inventory: Subagents are granted access to Write, Edit, and Bash tools to perform their tasks.
Sanitization: Absent; no validation or escaping is applied to the tasks or exit conditions defined in the plan before they are used to drive shell command execution.
[COMMAND_EXECUTION]: The Implementer and Reviewer subagents are explicitly instructed to execute shell commands (e.g., build, lint, test) defined within the plan's 'tasks' and 'exit conditions'. This allows an attacker who can modify the plan file to execute arbitrary commands on the host system via the agent's Bash tool.
[DATA_EXFILTRATION]: The 'Reviewer' subagent is instructed to perform integration tests, which include using curl to verify endpoints. A malicious plan could define a test that sends sensitive local data (such as environment variables or configuration files) to an external server under the guise of a behavioral check.

team-implement-plan