The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides templates for shell commands that include placeholders for variables derived from user input or the local environment. Evidence: SKILL.md contains commands like gh api repos/{owner}/{repo}/milestones --jq '.[].title', grep -rl "relevant-keyword" docs/solutions/, gh issue list --label research --state closed --search "<feature keywords>" --limit 5, and ls ~/.claude/research/<repo-slug>/. Risk: If the agent interpolates these variables without proper escaping or validation, an attacker could provide input containing shell metacharacters (e.g., ;, |, `) to execute arbitrary commands on the system.
[DATA_EXFILTRATION]: The skill reads information from local paths, including the user's home directory and the repository's documentation, and transmits this data to GitHub by creating issues and milestones. Ingestion Points: ~/.claude/research/, docs/solutions/, and GitHub issue history. Target: GitHub (a well-known service). While this behavior aligns with the skill's stated purpose, the automated movement of local data to a remote platform should be monitored.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes data from potentially untrusted external sources (Category 8). Ingestion points: docs/solutions/ (Step 4), GitHub issues (Step 4), and research archives in ~/.claude/research/ (Step 4). Boundary markers: The skill does not define clear delimiters or instructions to the agent to ignore embedded commands within these sources when generating the PRD. Capability inventory: The skill has the ability to execute shell commands (gh, grep, ls), read local files, and perform network writes (creating GitHub issues). Sanitization: There are no explicit instructions to sanitize or validate the content retrieved from these external sources before it is included in the final output.

write-a-prd