The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes the Bash tool to perform session management tasks such as creating directories in .workflow/.multi-cli-plan/ and reading local schema definitions from ~/.ccw/workflows/. These operations are standard for workflow orchestration and restricted to the local project environment.
[REMOTE_CODE_EXECUTION]: The orchestrator delegates analysis and plan generation to sub-agents like @cli-discuss-agent and @cli-lite-planning-agent. This represents a design pattern for multi-agent systems where tasks are handed off to specialized models; it does not involve the execution of unverified remote scripts or binaries.
[PROMPT_INJECTION]: The skill exposes an attack surface for indirect prompt injection by processing external project data.
Ingestion points: Project context gathered via ACE semantic search (relevant_files), project-tech.json, and specification files in the specs/ directory.
Boundary markers: Absent. Content is stringified as JSON and directly interpolated into sub-agent prompts.
Capability inventory: The workflow can call the Bash tool for file operations and Skill tool for execution handoff.
Sanitization: Absent. There is no evidence of validation or filtering of external content before it is processed by the agents.
Mitigation: The risk is mitigated by Phase 4 of the workflow, which requires explicit user selection and approval of the generated implementation strategy before moving to the execution phase.

workflow-multi-cli-plan