The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill is designed to decompose external requests into atomic sub-tasks and orchestrate other agents. This creates a significant vulnerability where malicious instructions embedded in user-provided data or external files could influence the orchestration logic.
Ingestion points: The 'Requirement Decomposition' step (Step 1) in the workflow in SKILL.md processes external requests directly.
Boundary markers: None. There are no instructions to use delimiters or ignore instructions within the data being decomposed.
Capability inventory: The skill possesses the capability to call codebase_investigator (file system access), db-enforcer (database modification), and generic activate_skill commands.
Sanitization: Absent. There is no logic for validating or escaping content before it is passed to the sub-agent tools.
[Persistence Mechanisms] (LOW): The skill implements a 'Plan Persistence' protocol that stores state in ~/.gemini/plans/. While intended for session recovery, this allows the agent to maintain and execute long-running sets of instructions across sessions, which could be exploited to maintain a foothold if a malicious plan is initialized.
[Command Execution] (MEDIUM): The skill utilizes a cheat sheet to chain tactical skills like db-enforcer and prisma-expert. While these are defined within its internal registry, the lack of input validation on the objective parameter passed to these tools poses a risk of unintended command execution or privilege misuse.

conductor-pro