The Agent Skills Directory

[COMMAND_EXECUTION]: The workflow defined in SKILL.md interpolates user-controlled variables directly into shell command strings (e.g., Bash(spec.py "$featureName")). This creates a command injection surface if the agent's execution environment does not robustly escape variable contents.- [COMMAND_EXECUTION]: The spec.py script contains a path traversal vulnerability in its template addition logic. The --add argument is used to construct a destination path without validating for parent directory references, allowing files to be written to unintended locations on the filesystem.- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface. Ingestion points: Specification IDs, feature names, and directory metadata are processed as untrusted input. Boundary markers: There are no explicit markers or instructions to isolate or ignore embedded commands within the processed data. Capability inventory: The skill is authorized to use the Bash, Read, Write, Edit, and TodoWrite tools. Sanitization: Although spec.py employs regex-based sanitization for directory names, this protection is bypassed in the shell command wrapper and the template path construction.

specify-meta