The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill creates a significant attack surface by processing untrusted user data ($ARGUMENTS) and feeding it to subagents capable of code generation and modification.
Ingestion points: Throughout SKILL.md, user input from $ARGUMENTS is used in Phase 1 (Requirements/Architecture), Phase 2 (Test Writing), Phase 3 (Implementation), Phase 4 (Refactoring), and Phase 5 (Integration).
Boundary markers: Absent. The user input is directly concatenated into the prompt strings (e.g., 'Analyze requirements for: $ARGUMENTS') without the use of delimiters, XML tags, or 'ignore embedded instructions' warnings.
Capability inventory: The skill orchestrates subagents with 'Write' capabilities, specifically backend-development::backend-architect for production code and unit-testing::test-automator for test suites. These subagents are instructed to create functional code based on the provided arguments.
Sanitization: Absent. There is no mechanism described to validate, escape, or sanitize the content of $ARGUMENTS before it is passed to the sub-agents.
Risk: An attacker could provide malicious requirements designed to hijack the subagent's logic, leading to the generation of backdoored code, unauthorized file system modifications, or exfiltration of sensitive data if the subagent has network access.

tdd-workflows-tdd-cycle