The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's implementation logic contains a command injection vulnerability. User input from the project path or description argument is assigned to a variable that is directly interpolated into a shell command string.
Evidence: In SKILL.md, the requirement variable (derived from $ARGUMENTS) is embedded into a string passed to the Bash tool: Bash({ command: ccw cli -p "... PROJECT TO ANALYZE: ${requirement}" ... }).
Impact: An attacker can provide a crafted description containing shell metacharacters (e.g., quotes, semicolons) to break out of the intended command and execute arbitrary code on the host system.
[PROMPT_INJECTION]: The documentation workflow is susceptible to indirect prompt injection, as agents are instructed to analyze untrusted source code and metadata files which may contain malicious instructions.
Ingestion points: Documentation agents read project files identified by {target_scope} in instructions/agent-instruction.md.
Boundary markers: Absent. The instruction template lacks delimiters or warnings to treat ingested file content as data rather than instructions.
Capability inventory: Documentation agents have access to tools including Bash, Write, and spawn_agents_on_csv, providing a significant impact surface if an agent follows instructions embedded in source code.
Sanitization: Project file content is processed in its raw form without sanitization or verification of its content.

project-documentation-workflow