The Agent Skills Directory

[COMMAND_EXECUTION]: The plan-to-bundle operation in scripts/review_prompt.py parses markdown plan files and generates a list of shell commands (tkt_commands). It inserts ticket titles, descriptions, and acceptance criteria directly into these command strings using f-strings without any shell-escaping or sanitization. If an attacker controls the source markdown file, they could inject malicious shell commands that would be executed when the generated output is run by a user or another agent.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its review prompt generation logic.
Ingestion points: Data is ingested from ticket files (YAML/Markdown) in the .tkt/bundles/ directory and from the roadmap.yaml file in scripts/review_prompt.py (via cmd_generate_review_prompt and cmd_generate_startup_review_prompt).
Boundary markers: The generated prompts use structured headers (e.g., ## Completed Tickets) but lack robust delimiters or instructions to ignore instructions found within the data.
Capability inventory: The skill has filesystem read/write access and the ability to execute the tkt.sh tool using subprocess.run (observed in cmd_generate_dispatch).
Sanitization: Content from ticket titles and summaries is not filtered or escaped before being interpolated into the prompt text.
[COMMAND_EXECUTION]: In scripts/review_prompt.py, the cmd_generate_dispatch function uses subprocess.run to execute the tkt.sh script when the --auto flag is used. While it uses argument lists to mitigate direct shell injection, the parameters for the --goal and --title flags are sourced from project metadata like carryover.yaml, which could be manipulated to influence the operation of the ticket management utility.

skill-system-review