The Agent Skills Directory

[PROMPT_INJECTION]: The skill employs strong, high-priority directives (marked with 🔴) that instruct the agent to bypass its own context analysis phase and immediately delegate tasks based on raw user input.
[PROMPT_INJECTION]: The skill contains an Indirect Prompt Injection surface by design, as it interpolates untrusted user content directly into prompts for downstream agents.
Ingestion points: The Phase 1: 計画策定 section in WORKFLOW-GUIDE.md and INSTRUCTIONS.md specifies passing the {ユーザー要求} (user requirement) directly to the planner agent.
Boundary markers: The prompt template uses simple bold markers (e.g., **ユーザー要求:**) but lacks robust delimiters or explicit instructions to the sub-agent to ignore instructions embedded within the provided data.
Capability inventory: The sub-agents invoked (e.g., tachikoma-architecture, tachikoma-database, tachikoma-bash) have extensive capabilities including file system modification, database schema execution, and version control operations via Jujutsu (jj).
Sanitization: The instructions explicitly discourage sanitization by stating "Codex本体はファイルを読まない・分析しない" (Codex itself does not read or analyze files), relying entirely on the sub-agent to handle potentially malicious input safely.
[COMMAND_EXECUTION]: The orchestrated workflow involves the parallel execution of multiple sub-agents with significant operational permissions. While intended for development, this capability could be exploited if a malicious implementation plan is successfully injected via the indirect prompt vector.

orchestrating-codex