The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves untrusted data from external sources (issue descriptions, titles, and metadata) and interpolates this content directly into the prompts used to spawn worker agents and execute CLI commands.
Ingestion points: The coordinator (Phase 1) loads issue data from command-line arguments and ccw issue list. The explorer role (Phase 2) retrieves detailed issue metadata using ccw issue status.
Boundary markers: The skill does not implement explicit boundary markers or 'ignore' instructions to separate ingested data from agent instructions.
Capability inventory: The skill has access to powerful tools including Bash for shell command execution, Agent for spawning sub-agents, and filesystem tools like Write and Edit.
Sanitization: There is no evidence of sanitization, escaping, or validation of the ingested issue content before it is processed by the agents.
[COMMAND_EXECUTION]: The skill extensively uses the Bash tool to run the ccw CLI utility. These shell commands incorporate strings derived from external issue data, which could lead to command injection if the CLI tool or the shell execution environment does not properly handle special characters or malicious inputs within those strings.

team-issue