The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection. It processes untrusted data from the user via $ARGUMENTS and external sources through various research 'scouts' (e.g., docs-scout, github-scout). This information is used to synthesize build plans and tasks without explicit boundary markers or sanitization logic.
Ingestion points: User input in SKILL.md and research_findings in steps.md (passed to the flow-gap-analyst subagent).
Boundary markers: No explicit delimiters (e.g., XML tags or clear separators) are defined for the untrusted input interpolation.
Capability inventory: The skill utilizes a bundled flowctl tool to perform file system operations (creating and modifying files in .flow/) and can trigger subsequent automated workflows like /flow-next:plan-review.
Sanitization: There is no evidence of sanitization or validation for the content being processed or written to the task specifications.
[COMMAND_EXECUTION]: The skill heavily relies on executing a local script flowctl located in the plugin's root directory. While this is intended behavior for the skill's task-tracking functionality, the commands are constructed using variables (such as spec IDs and task IDs) which, if manipulated via prompt injection, could lead to unexpected behavior in the task management system.

flow-next-plan