The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes existing feature-spec.md files from the repository to identify dependencies (described in references/zero-one-delivery.md and references/feature-evolution.md).
Ingestion points: The skill scans all docs/features/*/spec/feature-spec.md files to identify strong dependencies during the discovery and evolution phases.
Boundary markers: The instructions do not define specific delimiters or instructions for the agent to ignore potential instructions embedded within the ingested feature specifications.
Capability inventory: The lead agent has the capability to execute shell commands, manage git branches/worktrees, and run local scripts, which could be steered by malicious content in the scanned files.
Sanitization: No specific content-level sanitization or filtering is performed on the ingested text before it is integrated into the planning phase.
[COMMAND_EXECUTION]: The skill relies on executing several local shell and Python scripts to perform its core orchestration and validation functions.
Evidence:
scripts/create_agent_worktree.sh and scripts/collect_agent_patch.sh are bash scripts that interact with the git CLI to manage worktrees and patches.
scripts/render_reports.py and scripts/validate_feature_docs.py are Python scripts used for generating and validating workspace documentation.
Context: These executions are triggered by the lead agent as part of the intended development workflow. While the scripts include basic input validation (such as regex checks for branch names in the worktree script), they represent a capability that could be misused if the lead agent's orchestration logic is compromised via injection from project files.

eliteforge-codex-superpower