The Agent Skills Directory

[PROMPT_INJECTION]: The skill ingests untrusted user input via the args parameter and passes it verbatim to multiple sub-agents and internal tools like /brainstorming and /policy-algebra. This represents a surface for indirect prompt injection, where malicious input could influence the generation or synthesis of the final skill instructions.
Ingestion points: User-supplied args string processed in Step 1 and Step 5.
Boundary markers: None explicitly defined to separate untrusted data from instruction templates when passing to sub-agents.
Capability inventory: File system writes to ~/.claude/skills/, execution of pnpm validate, and use of the /ship tool.
Sanitization: The skill instructions explicitly state to pass the specification "verbatim," without mentioned sanitization or validation of the input content.
[COMMAND_EXECUTION]: The skill executes several local shell commands to manage the environment and validate output, including git rev-parse, mktemp, and pnpm validate. While these are part of a standard development workflow, they run in the local user context based on the generated content.

build-skill