The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill is vulnerable to indirect prompt injection via the processing of untrusted project documentation.\n
Ingestion points: As defined in references/prd-analysis.md, the skill is designed to parse external and potentially attacker-controlled documents like PRDs, Concept Briefs, Feature Specs, and Slack/Email threads.\n
Boundary markers: There are no specified delimiters or instructions to ignore embedded malicious commands within the PRD text, allowing for instruction leakage into the agent's planning phase.\n
Capability inventory: The skill possesses extensive write capabilities, including generating several files in the .claude/ directory and making state-changing tool calls to the ohno MCP server (mcp__ohno__create_task, mcp__ohno__add_dependency).\n
Sanitization: The instructions lack any requirement for sanitizing or validating the input data before it influences the agent's actions or the content written to the filesystem.\n- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill directs the agent to suggest or perform external plugin installations.\n
Finding: references/design-integration.md explicitly tells the agent to recommend the command claude plugin install design if a UI/UX feature is detected. This promotes the execution of unverified third-party code within the user's environment.\n- [COMMAND_EXECUTION] (MEDIUM): The skill performs environment-modifying operations based on analysis of untrusted data.\n
Finding: It uses custom MCP tools such as mcp__ohno__create_task and mcp__ohno__add_task_activity to alter the project's task database and session logs based on keywords and content found in potentially malicious input documents.

planning