The Agent Skills Directory

[PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it is designed to ingest and process information from external data sources provided by the user.
Ingestion points: SKILL.md Step 1 (Gather Requirements) explicitly instructs the agent to collect information from external URLs (e.g., Notion, Figma, GitHub, Jira, Slack).
Boundary markers: The plan template and workflow instructions lack specific guidance on using delimiters or safety warnings when incorporating content from these external sources.
Capability inventory: The skill can write files to the project's .tasks/ directory, launch additional agent instances for reviews, and execute system commands for identifier generation.
Sanitization: No sanitization or validation of the external source data is described in the workflow.
[COMMAND_EXECUTION]: The workflow involves the execution of local system utilities and development tools.
Evidence: SKILL.md Step 3 recommends the use of uuidgen for generating unique task identifiers. Additionally, references/plan-json-schema.md provides yq commands as examples for programmatically managing plan metadata.

impl-plan