The Agent Skills Directory

[COMMAND_EXECUTION]: The skill dynamically resolves a path to a shell script (scripts/setup-hooks.sh) and executes it using the bash interpreter in Section 7. This allows for arbitrary code execution if an attacker places a malicious script in the project directory.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8).
Ingestion points: The agent reads multiple project-controlled files including docs/architecture.md, docs/plans.md, docs/implement.md, and docs/secrets.md (Section 2).
Boundary markers: No delimiters or protective instructions are used to distinguish untrusted file content from system-level instructions.
Capability inventory: The agent has the ability to read/write files and execute shell commands (bash) based on the context loaded from these files.
Sanitization: There is no evidence of sanitization or validation of the documentation content before it is used to influence the agent's planning and execution logic.
[CREDENTIALS_UNSAFE]: The skill explicitly reads docs/secrets.md in Section 2. Accessing files specifically designated for secrets or credentials poses a high risk of sensitive data exposure or leakage into the conversation history or agent context.

project-update