The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool extensively to automate software development tasks including git operations, worktree management, dependency installation, and running test suites (e.g., npm test, poetry run pytest). This behavior is consistent with its primary purpose as an implementation assistant.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because user-supplied arguments ($ARGUMENTS) are interpolated directly into the instructions for background agents (e.g., workflow-architect) without strict boundary markers or sanitization. This is a common architectural pattern in orchestration skills but remains a vulnerability surface.
Ingestion points: User input captured via $ARGUMENTS in SKILL.md is passed to multiple Agent() calls in references/agent-phases.md.
Boundary markers: None present; user input is embedded as a raw string within agent prompts.
Capability inventory: The spawned agents have full access to file system modification (Write, Edit) and shell execution (Bash) tools.
Sanitization: No input validation or sanitization logic is implemented for the provided feature descriptions.
[DATA_EXFILTRATION]: Network operations are conducted via WebFetch (for documentation) and the gh CLI (for PR monitoring). These operations target well-known services (GitHub) and documentation sites for legitimate workflow purposes and do not indicate unauthorized data exfiltration.
[SAFE]: The skill implements a persistence mechanism via CronCreate to monitor PR health. This is documented, intended for project maintenance, and includes logic for self-deletion (CronDelete), minimizing security risks.
[SAFE]: Git worktree isolation is used to maintain project integrity during parallel implementation. The skill includes explicit rules for cleanup (ExitWorktree) to prevent orphaned worktrees from cluttering the host environment.

implement