The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it instructs the agent to read and process data from the Backlog.md system, which can be modified by external actors. * Ingestion points: Data enters the agent's context through CLI commands like backlog task <id> --plain, backlog task list --plain, and backlog search --plain (as seen in SKILL.md and references/task-workflow.md). * Boundary markers: The skill does not provide instructions to use delimiters or specific ignore-instructions for the data retrieved from the backlog. * Capability inventory: The agent can create/edit tasks, assign users, mark criteria as complete, and reference local files using the --ref flag. * Sanitization: There is no mention of sanitizing or validating retrieved data before the agent processes it.
[COMMAND_EXECUTION]: The skill relies on shell-based interaction with the backlog CLI tool. * The documentation in references/cli-reference.md suggests using complex shell patterns such as command substitution ($(printf ...)) and ANSI-C quoting ($'...') for multi-line inputs. These patterns could lead to command injection if the agent interpolates untrusted data into the shell environment without adequate escaping or validation.

backlog-md