The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection vulnerability surface where untrusted implementation plan data is incorporated into subagent prompts. \n- Ingestion points: Implementation plan text and task descriptions are read from external files and interpolated into prompts in implementer-prompt.md and spec-reviewer-prompt.md. \n- Boundary markers: The prompts lack clear delimiters (such as XML tags or triple-backticks) or explicit instructions to the subagents to ignore potential instructions within the ingested task text. \n- Capability inventory: The subagents are granted significant capabilities, including the ability to modify the codebase, execute tests via shell commands, and commit changes. \n- Sanitization: There is no evidence of sanitization, filtering, or validation of the implementation plan content before it is processed by the subagents.

subagent-driven-development