The Agent Skills Directory

[PROMPT_INJECTION]: The skill employs strong persona lock-in instructions, commanding the agent to act as an 'expert designer' who must 'never hedge' and 'pick one BOLD direction'. It also uses meta-instructions ('This document is an execution instruction, not a reference') to override default behavioral logic.
[COMMAND_EXECUTION]: The workflow involves executing shell commands such as grep for validation, git restore for rollbacks, and a Python command check (python3 -c "import playwright") to detect dependencies.
[INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from design briefs and project files.
Ingestion points: Reads external design.md files and project source code (HTML/CSS).
Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands within the processed files.
Capability inventory: The skill possesses file-writing capabilities and the ability to fork background subagents with dynamic prompts.
Sanitization: Absent. Content from the design brief (particularly §17 Agent Prompt) is used directly to guide code implementation, which could allow an attacker to inject malicious instructions into the agent's context.
[REMOTE_CODE_EXECUTION]: The skill utilizes a background task mechanism (Task(run_in_background=true)) to invoke a subagent with a dynamically generated prompt. While the intended use is verification, this pattern allows for the execution of complex instructions outside the main agent's immediate oversight.

insane-design-apply