The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill possesses a high-risk ingestion surface combined with autonomous execution capabilities.
Ingestion points: The agent 'Discusses & clarifies requirements' with users and performs 'Codebase Research' to gather context from existing files (SKILL.md).
Boundary markers: There are no defined delimiters or instructions provided to the agent to treat external codebase content or user implementation requirements as untrusted data.
Capability inventory: The skill creates and modifies files (docs/task/*.md, TASKS.md) and, in auto mode, uses the Task tool to programmatically spawn the /implement agent, which further chains to /test (Playwright E2E execution) and /ship.
Sanitization: No sanitization or validation logic is defined to prevent malicious instructions in the codebase or user input from being incorporated into the generated task document.
Evidence: The automation logic specifically directs the agent: 'Use Task tool to spawn /implement {task-name} with model: opus' and 'Do NOT wait for user to invoke /implement'. If a malicious instruction is injected into the implementation steps during the planning phase, it will be executed autonomously.
External Downloads (LOW): The skill recommends installing plugins from vercel-labs/agent-skills and supabase/agent-skills.
Trust Evaluation: Both vercel-labs and supabase are listed as Trusted GitHub Organizations. Per [TRUST-SCOPE-RULE], these references are downgraded to LOW/INFO as the sources are verified, though the behavior of the installed skills remains subject to analysis.
Dynamic Execution (MEDIUM): In auto mode, the skill dynamically assembles and executes a multi-agent pipeline.
Evidence: The skill uses the Task tool to programmatically trigger subsequent agents based on the content of the docs/task/*.md file it just generated. This represents runtime assembly of executable agent workflows based on potentially untrusted content.

plan