The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from external sources and incorporates it into agent prompts and execution logic.
Ingestion points: GitHub issue bodies fetched via gh issue view (phases/01-issue-new.md), source code files read during discovery (phases/02-discover.md), and semantic search results from the codebase (phases/03-discover-by-prompt.md).
Boundary markers: The instructions do not define explicit delimiters or use 'ignore embedded instructions' warnings when interpolating external content into subagent messages.
Capability inventory: The skill possesses significant capabilities, including arbitrary command execution via the Bash tool, file system modifications via Write and Edit, and the ability to delegate tasks via spawn_agent.
Sanitization: There is no evidence of sanitization or escaping of external content before it is used in CLI commands or agent prompts.
[COMMAND_EXECUTION]: The skill makes extensive use of the Bash tool to automate development workflows. It executes commands for GitHub interaction (gh issue view, gh issue create), local issue management (ccw issue), and project verification (npx jest, npx eslint). Phase 4 ('Quick Plan & Execute') dynamically generates and executes verification commands based on findings discovered in the codebase. These operations are legitimate for the skill's purpose and are typically gated by user confirmation.
[EXTERNAL_DOWNLOADS]: The skill utilizes the mcp__exa__search tool (Exa) in Phase 2 to perform external research on security and industry best practices. This is a well-known service used for its intended purpose within the discovery workflow.

issue-discover