The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it processes untrusted plan files and incorporates their content into instructions for itself and its subagents.
Ingestion points: Technical plan files located in the plans/ directory (SKILL.md).
Boundary markers: Absent. The skill does not use delimiters or instructions to ignore embedded directions within phase titles or "Changes Required" sections when passing them to subagents.
Capability inventory: Spawning Task subagents, modifying source code, running success criteria tests (shell commands), and updating project state files (SKILL.md).
Sanitization: Absent. There is no evidence of filtering or validation of plan content before it is used to drive agent behavior.
[COMMAND_EXECUTION]: The skill performs dynamic shell command construction that is susceptible to injection from untrusted plan content.
Evidence: The "Step 0: Prior-art check" instructs the agent to execute uv run "{{HOME_TOOL_DIR}}/skills/recall/scripts/recall.py" "<QUERY>", where <QUERY> is derived from phase and module names in the plan. A malicious plan could include shell metacharacters (e.g., ;, &, |) in these fields to achieve arbitrary command execution.
Evidence: In "Wave Execution Mode," subagents are prompted to "Run Success Criteria checks." Since these checks are defined in the plan, an attacker-controlled plan could define malicious commands as success criteria.

implement