The Agent Skills Directory

[DATA_EXFILTRATION]: The skill user-stories-to-api-spec performs automated discovery by searching for sensitive authentication patterns within the source code.
Evidence: grep -rn "Bearer\|AddJwtBearer\|Authorization" --include="*.cs" . | head -5 in SKILL.md.
This behavior can inadvertently expose real hardcoded credentials, API keys, or JWT tokens stored in project files by displaying them in the agent's context during the convention detection phase.
[PROMPT_INJECTION]: The skill pipeline is susceptible to indirect prompt injection because it processes untrusted requirements files through multiple stages without validation.
Ingestion points: SKILL.md reads requirements.md; SKILL1.md reads the resulting API spec; SKILL2.md reads the technical plan to create GitLab issues.
Capability inventory: The skills can write files (create_file) and interact with external systems via GitLab tools (mcp__gitlab__create_issue).
Sanitization: There are no boundary markers or instructions to sanitize or ignore embedded commands in the requirements data, allowing an attacker to potentially influence the generated tasks and issue tracking.
Impact: Malicious requirements could lead to the creation of misleading GitLab issues, incorrect task assignments, or the injection of malicious content into project documentation.
[COMMAND_EXECUTION]: The skills rely heavily on shell-based discovery tools for environment analysis.
Evidence: Extensive use of find, grep, and cat via bash_tool across SKILL.md and SKILL1.md to map the project architecture.
While intended for legitimate automation, the lack of strict input sanitization for paths (like the requirements file path) could be exploited if the agent fails to properly scope these commands.

user-stories-to-api-spec