The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's instructions guide the agent to take user-supplied input from the $ARGUMENTS variable and interpolate it directly into a bash command line (e.g., taskmd add "[title]"). Without explicit instructions to sanitize for shell metacharacters such as backticks, semicolons, or command substitution syntax, this creates a significant risk of command injection if the user provides a malicious task description.
[PROMPT_INJECTION]: The skill processes untrusted data from $ARGUMENTS and uses it to drive both command flags and the subsequent editing of files. There are no boundary markers (delimiters) or sanitization steps defined to prevent the user input from containing instructions that could override the agent's logic or the structure of the task being created.

add-task