The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted data from multiple sources to generate executable infrastructure code.
Ingestion points: Reads project context from $JAAN_CONTEXT_DIR/tech.md, $JAAN_CONTEXT_DIR/config.md, and outputs from upstream tools like backend-scaffold and frontend-scaffold.
Boundary markers: The prompt does not define specific delimiters or instructions to ignore malicious content embedded within the ingested tech stack or scaffold files.
Capability inventory: The agent has the power to write files to the output directory, edit the plugin settings (settings.yaml), and execute shell scripts for ID generation and index updates.
Sanitization: There is no evidence of sanitization or validation of the input data before it is interpolated into the generated Dockerfiles, shell scripts, and YAML workflows.
[COMMAND_EXECUTION]: The skill executes local shell scripts provided by the plugin environment to manage output organization.
Evidence: Sources and executes ${CLAUDE_PLUGIN_ROOT}/scripts/lib/id-generator.sh and index-updater.sh to generate folder IDs and maintain the project index.
[EXTERNAL_DOWNLOADS]: The skill generates CI/CD workflows that reference and download tools from well-known services and trusted registries.
Evidence: References GitHub Actions such as dorny/paths-filter, actions/setup-node, docker/build-push-action, and oasdiff/oasdiff-action.
Evidence: Configures stages to run npx for tools like @stoplight/spectral-cli and stryker from the NPM registry.
Note: These references target well-known technology providers and are considered safe under standard operating procedures.

devops-infra-scaffold