The Agent Skills Directory

[DYNAMIC_CONTEXT_INJECTION]: The skill utilizes shell commands within its YAML frontmatter to populate the agent's initial context with project metadata (e.g., current stage, sprint history, and session state). These commands use standard utilities (cat, ls, head) to read local project-specific files and do not incorporate user-controlled input or access sensitive system credentials.
[INDIRECT_PROMPT_INJECTION]: The skill ingests data from external project files which could technically contain malicious instructions if the project files themselves were compromised.
Ingestion points: Reads content from production/stage.txt, production/session-state/active.md, and metadata from other skill files in .claude/skills/.
Boundary markers: No explicit delimiters are used to wrap the ingested content.
Capability inventory: The skill is restricted to Read, Glob, and Grep tools, meaning it cannot execute arbitrary code or perform network operations based on the ingested data.
Sanitization: No explicit sanitization of file content is performed. Despite the ingestion surface, the lack of dangerous capabilities makes this a safe implementation for workflow tracking.
[DATA_EXPOSURE]: The skill reads project-level status files to provide advice to the user. All file access is constrained to the project environment (e.g., production/, docs/, design/) and does not target sensitive user directories or system configuration files.

help