The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it reads and processes untrusted data from external PRD files and codebases to drive its implementation logic. If a PRD contains malicious instructions hidden in text or comments, the agent might inadvertently execute those instructions during the coding phase.
Ingestion points: Workflow step 1 in SKILL.md and the usage example in README.md indicate the agent reads PRD files (e.g., docs/feature-prd.md) and codebase files (src/*.ts).
Boundary markers: None. The instructions do not specify delimiters or warnings to ignore instructions embedded within the PRD content.
Capability inventory: The skill is granted Write, Edit, and Bash permissions, allowing it to modify the file system and execute shell commands.
Sanitization: No sanitization or validation steps are defined for the content extracted from the PRD before it is used to influence agent actions.
[COMMAND_EXECUTION]: The skill uses the Bash tool to run grep commands using strings extracted directly from the PRD (e.g., grep -r "pattern_from_prd"). This creates a vulnerability where a malicious PRD could provide a string containing shell metacharacters (e.g., ; rm -rf /) to execute arbitrary commands if the agent does not properly escape the input before passing it to the shell.

prd-implementation-precheck