The Agent Skills Directory

[COMMAND_EXECUTION]: The skill automatically executes a shell script resolved from the project directory. In Section 7 (Hooks Installation), it attempts to find and run scripts/setup-hooks.sh or a relative path script. Executing scripts from a codebase that is currently being 'converted' (which may be an untrusted or newly cloned repository) allows for arbitrary code execution on the user's machine.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection (Category 8). It performs a 'Discovery Baseline' by reading all code roots, API surfaces, and existing documentation fragments (READMEs, notes) to generate the new workflow documentation.
Ingestion points: Reads arbitrary content from src/, app/, package.json, README, and other codebase signals in Section 2.
Boundary markers: No explicit boundary markers or instructions are provided to the agent to disregard instructions embedded within the source files being analyzed.
Capability inventory: The skill can write files to the project directory (docs/, tasks/) and execute bash commands (Section 7).
Sanitization: There is no evidence of sanitization or filtering of the content discovered in the codebase before it is synthesized into docs/architecture.md or docs/plans.md. An attacker could embed malicious instructions in code comments that would then be promoted to the project's 'official' documentation or milestones.

project-convert