The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8).
Ingestion points: The skill reads markdown files in the todos/ directory, which are populated from 'findings or feedback,' 'PR comments,' and 'code findings.' These are attacker-controllable external sources.
Boundary markers: Absent. The instructions do not define delimiters or provide warnings for the agent to ignore embedded instructions within the todos/ files.
Capability inventory: The agent has the capability to execute shell commands (ls, grep, cp, mv, awk), modify the filesystem, and is integrated into critical workflows like /review and /resolve_pr_parallel.
Sanitization: Absent. The content from the files is directly processed and used to drive workflows without validation or escaping.
[COMMAND_EXECUTION] (LOW): The skill relies on shell pipes for its management logic.
Evidence: Workflows include complex pipes such as ls todos/ | grep -o '^[0-9]\+' | sort -n | tail -1 | awk '{printf "%03d", $1+1}'. While the regex provides some safety, the reliance on shell execution increases the risk of exploitation if injection occurs elsewhere.

file-todos