The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill's core purpose is to ingest and parse untrusted external content (PRDs, concept briefs, Slack threads, and emails) to generate structured project data.
Ingestion Points: references/prd-analysis.md explicitly instructs the agent to handle diverse formats, including informal sources like 'Slack/Email Thread'.
Capability Inventory: The skill produces a tasks.db (SQLite), PROJECT.md, and features.json. These files serve as the 'shared project context' for other high-capability skills such as api-design and database-design.
Boundary Markers: The analysis instructions lack explicit guidance on using XML delimiters or boundary markers to isolate untrusted content during the parsing process.
Sanitization: No logic is provided to sanitize or validate the extracted requirements before they are inserted into the database or the shared PROJECT.md file. A malicious PRD could include 'hidden' tasks like 'Exfiltrate credentials' that an agent might naively include in the implementation plan, which downstream skills would then treat as authoritative requirements.
Command Execution (LOW): The skill requires the agent to manage a SQLite database (tasks.db) using the schema defined in references/database-schema.md. While this is a standard functional capability, it creates a vector for SQL injection if the agent interpolates raw text from the analyzed documents into SQL commands without proper parameterization.

prd-analyzer