The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool to run tests based on file paths mentioned in story documents. Without strict validation or sanitization of these paths, a maliciously crafted story file could potentially trigger unintended command execution.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from various project files (Story files, GDDs, ADRs) to drive its logic and decision-making.
Ingestion points: Content is read from Markdown and YAML files including SKILL.md arguments, tr-registry.yaml, and referenced GDD/ADR sections in Phase 2.
Boundary markers: The skill lacks explicit delimiters or instructions to the agent to treat external content as data rather than instructions.
Capability inventory: The skill has high-privilege capabilities including shell command execution (Bash), file modification (Write, Edit), and the ability to delegate tasks to other agents (Task).
Sanitization: There is no evidence of sanitization, escaping, or validation of the extracted data before it is interpolated into prompts or used as arguments for tool calls.
[REMEDIATION_GUIDANCE]: To mitigate these risks, the skill should: 1) Implement strict validation for any file paths or test names before passing them to the Bash tool. 2) Wrap content extracted from story files in clear delimiters with instructions for the agent to ignore any embedded directives. 3) Sanitize external content to remove potential shell metacharacters before execution.

story-done