The Agent Skills Directory

[PROMPT_INJECTION]: The skill ingests user-provided feature descriptions via the $ARGUMENTS variable to drive the specification generation process. This input is not sanitized or wrapped in protective delimiters, creating a risk that malicious instructions within the description could override the skill's logic or influence the generated specification content.
[COMMAND_EXECUTION]: The skill executes several shell commands using git to manage branches and directory structures. Specifically, it uses an AI-generated 'short-name' (derived from user input) as an argument in git ls-remote, git branch, and git checkout -b. This creates a vulnerability surface where an adversarial input could attempt to trick the AI into generating a name containing shell metacharacters, potentially leading to arbitrary command execution on the host machine if the agent executes the shell command without proper escaping.
[PROMPT_INJECTION]: The skill processes external data (BuildBetter context) if available. This represents an indirect prompt injection surface where instructions hidden in the customer evidence or user stories could influence the agent's behavior during the specification writing phase.
Ingestion points: $ARGUMENTS and files in FEATURE_DIR (e.g., buildbetter-context.md, user-stories.md).
Boundary markers: None present in the instructions to isolate user or external content.
Capability inventory: Shell command execution via git, file system write access for specifications and checklists.
Sanitization: No explicit sanitization or validation of the generated branch names or requirement text is specified.

specify