The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes tasks based on external plan files and incorporates generated learnings into permanent instruction files.
Ingestion points: plan.md and plan.json are split into packets used as primary instructions for subagents. Additionally, memory.md is used to update AGENTS.md or CLAUDE.md at the end of the workflow.
Boundary markers: No explicit delimiters or instructions to disregard embedded commands within the plan content are used; subagents are explicitly told to treat packets as their primary specification.
Capability inventory: The orchestrator can perform git commits and modify instruction files. The implementer subagent can write files and execute arbitrary shell commands for building and testing.
Sanitization: There is no automated sanitization of content extracted from the plan or the memory files before processing or integration.
[COMMAND_EXECUTION]: The implementer.md subagent is instructed to run verification checks including static analysis (linter, type checker), test execution, and build checks. These operations involve executing shell commands that may be defined within the user's project or influenced by the task description provided in the plan files.

impl-do