The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The Tech Lead agent processes untrusted data from the 'beads' (bd) task management system.
Ingestion points: The agent reads task descriptions, acceptance criteria, and comments via bd show [task-id] --long to perform reviews and create implementation plans.
Boundary markers: No boundary markers or instructions to ignore embedded commands are present in the prompt templates when interpolating data from the task system.
Capability inventory: The agent can execute shell commands (e.g., cat GUARDRAILS.md), read local environment variables, and modify state in the task management system.
Sanitization: No sanitization or validation of the input retrieved from the task system is performed before it is processed by the model.
[DATA_EXFILTRATION]: The companion script scripts/run-tl-loop.sh uses a sharing mechanism that could expose sensitive data.
Evidence: The command opencode run --attach "http://127.0.0.1:$TL_PORT" --model "$TL_MODEL" --share includes the --share flag.
Risk: This flag typically generates a public URL for the agent's session. Because the Tech Lead handles technical specifications, architecture plans, and code reviews, using this flag could expose proprietary project information to the public internet.
[COMMAND_EXECUTION]: The skill relies on shell command execution for its primary operating logic.
Evidence: The Session Start Protocol and Quality Gate Enforcement sections instruct the agent to run commands like cat GUARDRAILS.md and check $AGENT_LOOP_MODE to determine its execution context.

tech-lead