The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill's core functionality involves ingesting and analyzing untrusted external data (the user's source code) while having access to sensitive tools including Bash, Write, and Task.
Ingestion points: Source code files are identified and read during Phase 1.5 (phases/01.5-project-exploration.md) and Phase 2 analysis.
Boundary markers: Absent. The prompts in templates/agent-base.md and phases/01.5-project-exploration.md do not use delimiters or instructions to isolate the code being analyzed from the agent's logic, making it susceptible to instructions hidden in code comments.
Capability inventory: The agent can execute arbitrary shell commands via Bash and create/modify files via Write.
Sanitization: No evidence of sanitization or filtering of the content read from the source files before it is processed by the AI agents.
Command Execution (MEDIUM): The skill explicitly uses the Bash tool to execute system commands for project exploration and directory management.
Evidence: phases/01.5-project-exploration.md instructs agents to run rg (ripgrep) and a project-specific tool ccw to list modules and locate files. SKILL.md uses Bash to create the workspace directory structure.
Metadata Poisoning (LOW): While the skill uses metadata for document generation, most fields are populated via AskUserQuestion (Phase 1), which involves direct user interaction, reducing the risk of automated poisoning unless the user themselves provides malicious input.

copyright-docs