The Agent Skills Directory

[COMMAND_EXECUTION]: Several agents are authorized to use the Bash tool for standard development tasks related to their specific roles.
The Quality Agent uses Bash to execute test commands and check coverage.
The Security Agent uses Bash to run security audit tools like npm audit and safety to check for dependency vulnerabilities.
The Merger Agent utilizes Bash for git operations and interacting with the GitHub CLI (gh) to create pull requests.
[SAFE]: The skill architecture inherently includes security best practices by making security scanning a mandatory gate in the development pipeline. The Security Agent is specifically instructed to detect hardcoded secrets and OWASP vulnerabilities.
[SAFE]: The workflow involves ingesting user-provided feature specifications from the _project_specs/features/ directory, which represents an indirect prompt injection surface.
Ingestion points: Specification files are read by the Team Lead and Feature Agents in SKILL.md and agents/feature.md.
Boundary markers: Explicit delimiters for the ingested data are not defined in the instructions.
Capability inventory: The skill allows agents to modify files (Write/Edit) and create pull requests (gh CLI).
Sanitization: No explicit sanitization or validation of the markdown content is performed prior to ingestion.
The risk is considered acceptable as it is a fundamental part of the skill's intended purpose to translate user requirements into code.

agent-teams