The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes untrusted source code and configuration files from the project being analyzed to build its refactoring plan.
Ingestion points: The skill reads various project files, including 'package.json', 'pyproject.toml', 'Cargo.toml', and source code across multiple languages (JS, TS, Python, Go, etc.) as defined in SKILL.md rules 1 and 2.
Boundary markers: The instructions do not mandate the use of explicit delimiters or instructions to ignore embedded commands when the agent reads external file content.
Capability inventory: The agent has the capability to write to the local filesystem (refactoring) and execute project scripts for validation after receiving explicit user authorization.
Sanitization: There are no instructions to sanitize or validate the content of ingested files before they are processed by the agent's logic.
[COMMAND_EXECUTION]: The skill is designed to identify and execute project-specific validation commands (e.g., build, lint, typecheck) as part of its verification process.
Evidence: Operating Rules 6 and 12 explicitly describe detecting package managers and executing validation scripts to ensure code quality after modifications. These actions are protected by a requirement for explicit user consent (e.g., 'go', 'start', 'proceed').

end