The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits a surface for Indirect Prompt Injection (Category 8). In 'Phase 4: Behavioral Verification', the Sonnet agent is instructed to read the full content of documentation files, which are untrusted external inputs. A malicious actor could embed instructions within documentation to manipulate the agent's audit findings or behavior.
Ingestion points: Documentation files (e.g., Markdown) are read into the agent's context as shown in the architecture description and Phase 4 prompt template in SKILL.md.
Boundary markers: The prompt uses labels like 'DOCUMENTATION FILE:' but lacks strong delimiters or 'ignore' instructions to prevent the agent from obeying commands embedded in the doc content.
Capability inventory: The skill utilizes subprocess calls in its scripts and describes a reconciliation phase that involves interactive file modifications.
Sanitization: There is no evidence of sanitization or filtering of the documentation content before it is processed by the LLM.
[COMMAND_EXECUTION]: The supporting Python script interacts with the host operating system to perform incremental audits.
Evidence: In scripts/doc_accuracy.py, the _get_changed_files function utilizes subprocess.run to execute git diff.
Context: The script implements proper security practices by passing arguments as a list (avoiding shell=True) and using the -- separator to ensure user-provided arguments are treated as pathspecs. Additionally, the script includes logic to prevent path traversal (CWE-22) when resolving output directories.

doc-accuracy