The Agent Skills Directory

[PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface. Ingestion points: The skill reads user-defined markdown files located in openspec/changes/<name>/specs/ and tasks.md. Boundary markers: No explicit delimiters or safety instructions are used to separate the file content from the agent's instructions. Capability inventory: The skill can move directories (mv), create directories (mkdir), and execute several openspec CLI commands. Sanitization: There is no evidence of sanitization or escaping of the content read from the local files. Risk: Malicious instructions hidden in specification files could influence the 'Resolve conflicts agentically' step, leading the agent to perform incorrect merges or misreport the status of changes.

openspec-bulk-archive-change