The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): The 'preprocessing' syntax (!command) enables the execution of arbitrary shell commands (e.g., git, gh, psql, node) during the skill's initialization. While the documentation advises against side effects and secrets, the mechanism itself automatically runs code before the AI processes the prompt. If a skill file using this pattern is maliciously modified, it could lead to unauthorized local command execution.
PROMPT_INJECTION (LOW): The skill documentation encourages patterns that are highly susceptible to Indirect Prompt Injection (Category 8). Specifically, it recommends using preprocessing to pull in live data such as PR comments (gh pr view --comments) or logs (tail -50 /var/log/app.log) directly into the prompt.
Ingestion points: Preprocessing commands (!gh pr view --comments, !gh pr diff, !tail ...) and reading artifact files (artifacts/*.md).
Boundary markers: Absent. The templates show external data being interpolated directly into markdown sections without delimiters or 'ignore' instructions.
Capability inventory: The skill allows powerful tools including Bash, Write, Edit, and TaskCreate.
Sanitization: None mentioned. There is no guidance on escaping or validating the content of the ingested data to prevent embedded instructions from hijacking the agent.
DATA_EXFILTRATION (LOW): The 'State Handoff' pattern relies on persisting project decisions and task states in plain-text files (artifacts/, context.md). While intended for workflow continuity, this pattern risks the persistence and potential exposure of sensitive data within the workspace if users are not diligent about sanitizing the information written to these artifacts.

skills-workflows