The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by processing data from the local file system and issue tracking tools that may contain untrusted content.
Ingestion points: The agent is instructed to read contents from .worklog/, .claude/patterns/, and .claude/schemas/elements.json, as well as processing issue titles and descriptions via the bd tool.
Boundary markers: No explicit delimiters or instructions are provided to the agent to treat this data as untrusted or to ignore potential instructions embedded within them.
Capability inventory: The skill utilizes Read, Glob, Grep, and Bash tools, which allow for reading file contents and executing shell commands.
Sanitization: There is no evidence of sanitization or validation of the content ingested from these sources before it is processed.
[COMMAND_EXECUTION]: The skill uses the Bash tool to execute local commands for project management, git workflow, and code validation.
Evidence: It executes git for branch management and commits, npm for running tests and linters (such as eslint, stylelint, and pa11y), and a custom bd tool for issue tracking. While these are typical development operations, they represent a capability that could be targeted if the inputs to these commands are derived from malicious external sources.

pre-flight-check