The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection because it ingests untrusted data from local project files (e.g., ARCHITECTURE.md) and external library documentation via the Context7 MCP. It lacks boundary markers or sanitization for this content, meaning malicious instructions within those sources could override the agent's behavior during implementation. * Ingestion points: references/full-guide.md (Step 3: reading system files via cat; Step 4: fetching external docs via mcp_context7). * Boundary markers: Absent; untrusted content is directly interpolated into the reasoning process. * Capability inventory: File system modification (creating PRDs/Tasks), directory traversal, and tool execution. * Sanitization: None detected for ingested external content.
COMMAND_EXECUTION (HIGH): The workflow requires the agent to execute a recursive grep command (grep -r "similar_pattern" [project]/) where the pattern is derived from the user's request. If the agent environment does not sanitize these inputs, a user could provide a malicious feature name to execute arbitrary shell commands via the pattern argument. * Evidence: references/full-guide.md (Step 3, point 2).
EXTERNAL_DOWNLOADS (LOW): The skill requires the use of the Context7 MCP to fetch documentation from external sources. While functional, this introduces a dependency on an external, non-trusted service and pulls third-party data into the prompt context. * Evidence: references/full-guide.md (Step 4).

task-prd-creator