The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill mandates the execution of a shell script at ./.forge/skills/create-plan/validate-plan.sh. As the script's source code is not provided within the skill's file set, its behavior is unverifiable and could potentially execute malicious commands on the host system.
[PROMPT_INJECTION] (HIGH): This skill is highly susceptible to Indirect Prompt Injection. Evidence Chain: 1. Ingestion Point: The skill uses search and read tools to ingest untrusted data from the user's codebase (SKILL.md). 2. Boundary Markers: None are specified to delimit codebase content from agent instructions. 3. Capability Inventory: The skill can create new files in the plans/ directory and execute shell scripts (SKILL.md). 4. Sanitization: No sanitization or validation of the ingested codebase content is mentioned. This combination of processing untrusted data alongside command execution capabilities allows an attacker to influence the agent via malicious content in the repository.
[COMMAND_EXECUTION] (MEDIUM): The validation step uses shell interpolation for the plan filename (plans/{YYYY-MM-DD}-{task-name}-v{N}.md). If the {task-name} variable is derived from untrusted user input or codebase metadata without strict sanitization, it could be exploited for command injection.

create-plan