The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool to execute sf CLI commands, directly interpolating user-provided inputs—such as snapshot names, descriptions, and org aliases—into shell command strings. This practice introduces a risk of command injection if the AI agent does not properly escape or quote these values before execution.
[DATA_EXFILTRATION]: Instructions direct the agent to capture output from sf org list and other commands, which contain sensitive data like usernames, org IDs, and instance URLs, and write them to local files (e.g., scratch-org-result.json). Storing this information in plain text within the project directory increases the risk of local data exposure.
[PROMPT_INJECTION]: The skill includes instructions with strong override markers (e.g., "MANDATORY: Follow these instructions exactly. Do NOT fall back to MCP tools.") that attempt to dictate the agent's tool selection and bypass its default reasoning for choosing the most appropriate tool for a task.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted user input within shell-executable contexts. 1. Ingestion points: User requests for org creation and snapshots containing names, descriptions, and aliases. 2. Boundary markers: Absent; no delimiters or "ignore embedded instructions" warnings are used. 3. Capability inventory: Shell command execution via the Bash tool for various sf CLI operations; file system writes to the local project directory. 4. Sanitization: No input validation, filtering, or escaping procedures are specified in the instructions for user-provided data.

dx-org-manage