The Agent Skills Directory

Indirect Prompt Injection (MEDIUM): The skill ingests untrusted data from external sources to verify implementation plans.
Ingestion points: External documentation (WebFetch) and open-source implementation examples (WebSearch/Tavily).
Boundary markers: None. The instructions do not define delimiters or provide warnings to ignore embedded instructions in the fetched data.
Capability inventory: Tools include codebase access (Read, Grep, Glob) and web access. While it lacks direct execution tools, it dictates the agent's 'Proceed/Stop' logic for subsequent implementation phases.
Sanitization: None. External content is analyzed directly.
Metadata Poisoning (MEDIUM): The skill claims a 1.000 precision/recall rate and over 18,000 GitHub stars. These metrics are unverifiable and appear designed to artificially inflate the perceived safety and reliability of the tool.
Data Exposure Risk (LOW): The skill workflow involves reading local architecture files (CLAUDE.md, PLANNING.md) and searching the web. There is a risk that sensitive information from the codebase could be leaked if used as search queries for external documentation or code examples.

Confidence Check