The Agent Skills Directory

[PROMPT_INJECTION]: The skill uses aggressive, hyperbolic, and threatening language ("touch it and you die", "fatal self-error", "BANNED") to override the agent's behavior and enforce a specific technical convention regarding Next.js file naming (using proxy.ts instead of middleware.ts). This is an instructional override pattern designed to force compliance by suppressing the model's standard reasoning and internal knowledge.
[INDIRECT_PROMPT_INJECTION]: The skill architecture allows for the automatic injection of "Vendor-specific execution protocols" from external file paths such as ../_shared/runtime/execution-protocols/{vendor}.md. This represents a potential vulnerability surface where external, unverified content can define the agent's execution logic.
Ingestion points: External protocol files referenced in SKILL.md under the References section.
Boundary markers: None identified; the instructions suggest these protocols are integrated into the agent's core workflow.
Capability inventory: The skill has capabilities for codebase search (rg), file modification (WRITE), and shell command execution (npx).
Sanitization: No validation or sanitization of these injected protocols is documented.
[COMMAND_EXECUTION]: The canonical workflow encourages the use of shell tools like rg (ripgrep) for searching the codebase and npx tsc for type checking. While standard for development, these represent capability surfaces that can be leveraged by malicious instructions.

oma-frontend