The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill processes untrusted data from external sources to define instructions for secondary agents.
Ingestion points: The skill reads from {phase_dir}/uat.md (Gaps section) and accepts user input via command-line arguments ($ARGUMENTS).
Boundary markers: Absent; instructions for sub-agents are generated and interpolated without delimiters or 'ignore embedded instructions' warnings.
Capability inventory: The skill and its spawned agents have access to spawn_agents_on_csv, Bash, Write, Edit, Read, Glob, and Grep tools.
Sanitization: Input is slugified for use in directory names, but there is no sanitization of the content that eventually forms the agent instructions.
[DYNAMIC_EXECUTION]: The skill uses the spawn_agents_on_csv tool to execute agents based on instructions dynamically generated at runtime and stored in CSV files. This creates a risk where malicious content in processed files (like uat.md) could influence agent behavior.
[COMMAND_EXECUTION]: The skill uses the Bash tool to perform file system operations, such as creating session-specific directories (mkdir -p). While slugification is used on the session ID, the underlying pattern involves executing shell commands based on transformed user input.

quality-debug