The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill uses the Bash tool to execute commands (e.g., ls spaces/[project-name]/, mkdir, cp) using the user-provided <project-name> argument. There is no evidence of input validation or sanitization, which could allow an attacker to execute arbitrary commands by supplying a project name containing shell metacharacters (e.g., ; rm -rf / or $(curl ...)).
[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It reads external, potentially untrusted content from files like CLAUDE.md, README.md, and planning documents in ideas/ using the Read and Grep tools. Since the agent uses the Bash tool to perform actions based on its evaluation of these files, malicious instructions embedded in project documentation could trick the agent into executing unauthorized shell commands.
Ingestion points: Files CLAUDE.md, README.md, package.json, docs/*.md, and ideas/[project]/README.md are read into the agent context.
Boundary markers: None identified. The skill does not use delimiters or instructions to ignore embedded commands in the files it validates.
Capability inventory: The skill has access to the Bash tool, allowing it to list files, create directories, and copy files.
Sanitization: No sanitization or validation of file content is performed before processing or before using derived information in shell commands.

validate-space