The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill processes external documentation files without any sanitization or boundary markers, making it highly susceptible to indirect prompt injection.
Ingestion points: The scripts/onboard-docs.sh script (Step 3) crawls the user-provided CODE_PATH and reads files like README.md, ARCHITECTURE.md, and others into RAG collections.
Boundary markers: Absent. There are no delimiters or specific instructions to the agent to treat this content as untrusted data.
Capability inventory: The skill possesses extensive capabilities, including writing YAML configuration files, creating semantic routing rules that govern future agent queries, and performing shell-level filesystem modifications.
Sanitization: Absent. Content from the documentation is directly used to populate the agent's knowledge and influence its decision-making logic.
COMMAND_EXECUTION (MEDIUM): The shell scripts perform operations that are potentially dangerous if input parameters are not strictly controlled.
Evidence: The ln -sf "$CODE_PATH" "code/${PROJECT}" command in scripts/onboard-project.sh allows for the creation of symlinks to any path. An attacker could potentially use this to link sensitive directories like ~/.ssh or /etc into the agent's workspace.
Evidence: The script uses shell redirection (cat > ... << EOF) with unquoted variables, which could lead to command injection if the project metadata contains shell metacharacters.

project-onboarding