The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it orchestrates a workflow that heavily relies on ingesting and processing external requirements data.
Ingestion points: The workflow reads from exploration/session-brief.md and various files in exploration/captures/ (such as problem-framing.md, brd-draft.md, and user-stories-draft.md) to build context for subsequent agent calls.
Boundary markers: The instructions do not specify the use of clear delimiters or instructions to ignore embedded commands within the ingested markdown files.
Capability inventory: The skill has access to Bash, Read, and Write tools, and it executes several internal Python scripts (dispatch.py, check_gaps.py, execute.py, generate_workflow.py) to perform its tasks.
Sanitization: There is no indication that the content of the captures or the session brief is sanitized or validated before being interpolated into the context of sub-agent dispatches.
[COMMAND_EXECUTION]: The skill's 'Re-Entry' section contains a documentation pattern that suggests an unsafe use of the shell: echo "CONTEXT: [describe the blocking ambiguity or engineering question here]" > /tmp/reentry-context-$$.md. If the agent follows this instruction literally and populates the placeholder with un-sanitized text from a user (e.g., containing backticks, semicolons, or $(...) syntax), it could lead to arbitrary command execution within the shell environment.

exploration-workflow