The Agent Skills Directory

Prompt Injection (MEDIUM): The skill uses imperative 'no-bypass' language designed to override the agent's internal decision-making processes.
Evidence: The instructions include phrases like 'No exceptions, no rationalizations, no shortcuts' and 'Stop and use the appropriate agent' when the agent identifies a reason to skip a tool.
Risk: This mirrors 'Ignore previous instructions' patterns and may pressure the agent to disregard safety protocols or ethical constraints if a malicious request is framed as a standard workflow task (e.g., a 'bug fix').
Indirect Prompt Injection (MEDIUM): The skill serves as a dispatcher that ingests untrusted data and routes it to higher-capability tools.
Ingestion points: SKILL.md mandates processing 'ANY user request' before responding.
Boundary markers: Absent. The skill does not use delimiters or protective wrappers when processing or announcing the task derived from user input.
Capability inventory: The skill utilizes TaskCreate and TodoWrite for state management and delegates execution to a catalog of 70+ specialized agents (including security auditors and deployment engineers) listed in reference/agents-catalog.md.
Sanitization: Absent. There is no logic provided to sanitize, validate, or filter user input before it is passed to the next agent in the chain.
Persistence & Global Triggering (LOW): The config.json and SKILL.md specify that the skill is 'automatic on all sessions' and 'applies to EVERY project.' This enforces a specific set of instructions globally without a per-session opt-in mechanism, increasing the impact of any contained injection vulnerabilities.

workflow-enforcer-skill