The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill's sandbox detection and TDD logic perform runtime installations of third-party packages. Specifically, references/sandbox-detection.md suggests and executes npm i -g chromux and npm i -g playwright, which are global installations of code from external registries. references/tdd-guide.md also performs npm install -D vitest and pip install pytest.
[COMMAND_EXECUTION]: The orchestrator executes shell commands derived directly from the spec.json and verification recipes. Files such as references/verify-recipes/cli.md and references/verify-recipes/server.md execute commands based on input that may be influenced by external project data or sub-agent outputs.
[PROMPT_INJECTION]: The skill implements a 'self-read' pattern for worker agents, where instructions are dynamically built and passed to sub-agents. It is vulnerable to indirect prompt injection because it ingests data from untrusted sources without sanitization.
Ingestion points: spec.json, .hoyeon/specs/{name}/context/learnings.json, .hoyeon/specs/{name}/context/issues.json, and round-summaries.json.
Boundary markers: None identified; data is interpolated directly into worker descriptions and prompts.
Capability inventory: The skill has extensive capabilities including Bash (shell execution), Write/Edit (file modification), and network access via curl in several recipes.
Sanitization: No escaping or validation is performed on the 'learnings' or 'issues' collected from previous workers before they are provided as context to new workers.
[PRIVILEGE_ESCALATION]: In references/verify-ralph.md, the skill explicitly instructs the agent to use sed to modify a protected file because the platform's Edit tool is blocked by a security guard (ralph-dod-guard). This represents a deliberate bypass of environmental security constraints.

execute