The Agent Skills Directory

[PROMPT_INJECTION]: The skill has an inherent surface for indirect prompt injection because it ingests untrusted data from the conversation history to synthesize specifications (Phase 1.1). This is mitigated by a mandatory human-in-the-loop review process before any files are written.
Ingestion points: Verbatim user turns are extracted from the recent conversation history in Phase 1.1.
Boundary markers: The extracted content is isolated within a '## Conversation Evidence' block, and every line in the final spec is tagged with its source ([user], [paraphrase], [inferred]).
Capability inventory: The skill uses 'Bash' to run local scripts, 'Write' and 'Edit' to manage spec files, and 'Task' to delegate read-only exploration to subagents.
Sanitization: A mandatory 'Read-back loop' (Phase 4) requires the user to approve the full draft before 'flowctl' performs any writes. The skill also includes a 'Ralph-block' to prevent execution in autonomous environments where a human reviewer is not present.
[COMMAND_EXECUTION]: The skill uses the 'Bash' tool to execute 'flowctl', a bundled utility script located within the plugin directory, as well as 'jq' and 'git' for project management. These commands are used to create and update specification files in the '.flow/' directory. Shell arguments are parsed and used in a manner that avoids direct execution of unvalidated user input.

flow-next-capture