The Agent Skills Directory

Prompt Injection (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8) via its rule-loading mechanism.
Ingestion points: The skill uses the Read tool to ingest content from arbitrary markdown files in the rules/ directory based on the user-provided $ARGUMENTS.
Boundary markers: No delimiters or 'ignore embedded instructions' warnings are present to distinguish between legitimate rules and malicious instructions in the files.
Capability inventory: The agent is instructed to 'strictly follow' every rule to generate executable code and architectural decisions, giving external content high influence over the final output.
Sanitization: There is no logic to validate or escape the content of the rule files before they are interpreted as requirements.
Data Exposure (MEDIUM): The skill uses Glob and Read tools to access the local file system. Because the file selection logic is based on natural language mapping of user arguments, a malicious user could attempt to manipulate the 'domain determination' step to read sensitive files outside the intended rules/ scope.

secure-coding-generate