The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It reads instructions and architectural rules from files within the project root, such as docs/ai-coding/feature-prompt-context.md and coding-rules.md. An attacker who can commit files to a repository could embed malicious instructions in these markdown files to influence the agent's behavior during feature implementation.
Ingestion points: Files located in docs/ai-coding/ and project source code.
Boundary markers: The skill uses logical separation (Hard Rules) but lacks explicit delimiters or instructions to ignore embedded commands within the ingested data.
Capability inventory: The agent can read files and is encouraged to execute shell commands for verification.
Sanitization: No explicit sanitization or validation of the content within the docs/ai-coding/ directory is performed beyond a manual review warning if open-questions.md is unresolved.
[COMMAND_EXECUTION]: The skill instructs the agent to automatically find and execute verification commands from project build files or context, such as mvn test or ./gradlew test. While these are standard build tools, executing commands derived from potentially untrusted project files (like a malicious pom.xml or custom build script) presents a security risk.

project-feature-dev