The Agent Skills Directory

[COMMAND_EXECUTION]: The skill exhibits a command injection surface by interpolating user-provided input (the <concept> variable) directly into shell commands within the prompts for sub-agents. Examples include grep -l "<concept>", git log --grep="<concept>", and cass search "<concept>". A malicious user could provide input designed to escape the double quotes and execute arbitrary shell commands.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes data from external, potentially untrusted sources like git history, session transcripts, and documentation files.
Ingestion points: Data enters the agent's context through files in .agents/handoff/, .agents/research/, .agents/learnings/, and .agents/patterns/, as well as outputs from the git and cass CLI tools.
Boundary markers: The skill fails to use boundary markers or explicit "ignore embedded instructions" warnings when asking sub-agents to process these files.
Capability inventory: The skill has access to the Bash tool and can write files to the .agents/research/ directory.
Sanitization: No sanitization or validation of the ingested content is performed before it is analyzed by the sub-agents or included in the final report.

trace