The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool to execute various system commands including git, grep, jq, sed, and date. It also executes a bundled utility called flowctl located within the plugin's script directory. These tools are used as intended for auditing project files and managing repository state.
[DATA_EXFILTRATION]: The skill is designed to interact with GitHub using the gh command-line tool to create pull requests for audited changes. This activity targets a well-known service as part of the expected development workflow.
[PROMPT_INJECTION]: The skill presents an indirect prompt injection surface because it ingests and processes content from .flow/memory/ files and GLOSSARY.md files, which may contain untrusted data.
Ingestion points: The skill walks the memory tree and reads the body of memory entries in workflow.md (Phase 0.1 and Phase 1.1).
Boundary markers: There are no explicit delimiters or instructions to ignore embedded commands when the agent processes the ingested content.
Capability inventory: The skill has the ability to write or edit files (Write and Edit tools in workflow.md Phase 4 and Phase 6), delete files (git rm in workflow.md Phase 4), and perform git operations including commits and pull request creation (workflow.md Phase 5).
Sanitization: No sanitization or validation of the ingested content is performed before it is used by the agent to make engineering decisions.

flow-next-audit