The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs and executes shell commands using variables derived from user input, such as branch names, file paths, and task descriptions (e.g., git checkout -b <branch>, test -f "<path>", flowctl task create --title "Implement <idea>"). There is no evidence of sanitization for shell metacharacters like semicolons, pipes, or ampersands, which could allow for arbitrary command execution if malicious input is provided.
[REMOTE_CODE_EXECUTION]: The skill relies on a bundled executable script flowctl located within the plugin's own directory structure (${DROID_PLUGIN_ROOT:-${CLAUDE_PLUGIN_ROOT}}/scripts/flowctl). Executing scripts provided with the skill increases the execution attack surface compared to standard system binaries.
[PROMPT_INJECTION]: The skill has an indirect prompt injection surface where it ingests untrusted data from user arguments or external markdown files and passes it into the context of 'worker' subagents.
Ingestion points: Phase 1 processes user arguments and local markdown files to determine task content.
Boundary markers: No specific delimiters or instructions are used to separate untrusted user data from the instructions provided in the subagent prompt template.
Capability inventory: The agent has access to the filesystem, network (via git), and the ability to execute shell commands and spawn additional agents with inherited permissions.
Sanitization: There is no evidence of content validation or escaping before interpolation into the subagent prompt template.

flow-next-work