The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses shell commands that incorporate unvalidated user input. Specifically, in Stage 4b, the docs_site_url provided by the user is passed directly to the pnpm crawl:docs command. This pattern is vulnerable to command injection if a crafted URL containing shell metacharacters is provided.
[EXTERNAL_DOWNLOADS]: The skill performs external network requests to crawl and research brand websites based on user-provided URLs. It also triggers the installation of a headless browser (approximately 150MB) during the first execution of the crawl command in Stage 4b.
[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) as it ingests untrusted data from external websites to generate repository content. Malicious instructions embedded in the target websites could manipulate subagents into generating harmful artifacts.
Ingestion points: source_urls and docs_site_url in SKILL.md (Stage 5 and Stage 4b).
Boundary markers: The prompts for the research-collector and design-md-author subagents do not provide instructions to ignore or delimit embedded commands in the source data.
Capability inventory: The skill can execute shell commands via the Bash tool and write files to the project's source directory (services/) and public/ directory (Stage 8 and Stage 10).
Sanitization: There is no sanitization of the scraped web content before it is processed by authoring subagents.
[COMMAND_EXECUTION]: In Stage 12, the skill uses a shell pipeline kill $(lsof -t -i:3000) to manage the local development server. This approach is brittle and can lead to the unintended termination of unrelated processes.

design-md