The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to run various shell commands (e.g., git rev-parse, git log, pnpm build, rg) for state verification and build validation. These are standard development operations within the skill's intended scope and are used to verify the state of the codebase relative to the implementation plan.
[REMOTE_CODE_EXECUTION]: There is an inherent surface for remote code execution because the skill executes "exit gate" commands defined in user-provided .plan.md files. However, the skill explicitly mitigates this by defining a 'Trust Boundary' that instructs the agent to treat these files as untrusted input and providing specific examples of dangerous patterns to block, such as piped shell execution (e.g., curl | sh).
[DATA_EXFILTRATION]: The instructions include a proactive safety check for data exfiltration, specifically directing the agent to pause and seek user confirmation if a plan requests access to sensitive credential paths like ~/.ssh or ~/.aws, or attempts to send data to unfamiliar hosts.
[PROMPT_INJECTION]: The skill processes user-provided .plan.md files which could contain malicious instructions (Indirect Prompt Injection). This risk is addressed through the following evidence chain:
Ingestion points: Untrusted data enters the agent context via the .plan.md file (SKILL.md).
Boundary markers: The 'Trust Boundary' section provides explicit instructions to treat the plan as user-authored input and not suspend critical judgment (SKILL.md).
Capability inventory: The agent is authorized to perform file writes, git operations, and shell command execution based on the plan (SKILL.md).
Sanitization: The skill requires manual user confirmation for any operations involving network exfiltration, access to files outside the working tree, or sensitive configuration paths.

tl-agent-plan-execute