The Agent Skills Directory

[PROMPT_INJECTION]: The skill ingests untrusted data from multiple sources including .okr/inbox/*.md, actions/*.md, and resources.md to determine processing logic and status updates. There are no explicit boundary markers or sanitization routines for this content, making it susceptible to indirect prompt injection where data content could be misinterpreted by the agent as instructions.\n- [COMMAND_EXECUTION]: The 'External Sync' feature (described in references/data-format.md) uses dynamic tool invocation. It parses integration strings such as skill: <name> or mcp: <name> from a Markdown table in the resources.md file and uses them to call other agent skills or MCP tools. This mechanism allows the content of data files to control the agent's tool execution paths.\n- [COMMAND_EXECUTION]: The skill's delegation mechanism (Phase 4b Step 5) utilizes a pre_confirmed: true flag in its cross-skill communication payloads. This flag instructs target skills like okr-init and okr-plan to skip their standard user confirmation prompts and proceed directly to file modification. If the tracking logic is subverted by malicious input data, this bypass can be used to execute unauthorized state changes without human review.

okr-track