The Agent Skills Directory

[Indirect Prompt Injection] (LOW): The skill transforms untrusted design input into executable tasks, creating a significant attack surface. (1) Ingestion points: User-provided design documents and feature requests in SKILL.md. (2) Boundary markers: Absent. No delimiters or warnings are present to prevent the agent from obeying instructions embedded in the design data. (3) Capability inventory: Generates Python code and shell commands (pytest, git). It explicitly references sub-skills for task execution. (4) Sanitization: Absent. There is no logic to sanitize or validate design input before it is interpolated into the plan.
[Dynamic Execution] (LOW): The skill generates script-like templates and CLI commands at runtime. Evidence: Implementation tasks include Python code blocks and shell execution commands. Context: This behavior is expected for a coding planning tool but contributes to the potential impact of an injection.

writing-plans