The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and act upon untrusted data from product requirement documents (PRDs), user requests, and existing project source code.
Ingestion points: External requirements are captured into task.md (via the intake phase) and project context is analyzed in research.md (via the research phase).
Boundary markers: The instructions lack explicit delimiters or "ignore embedded instructions" warnings to prevent the agent from obeying instructions hidden within the ingested PRDs or code files.
Capability inventory: The skill directs the agent to write files to the local filesystem (/.ai/tasks/) and execute shell commands (such as linting, testing, and building) during the implementation and testing phases.
Sanitization: There is no evidence of sanitization, validation, or escaping of the content ingested from external requirements before it is used to generate implementation plans.
[COMMAND_EXECUTION]: The workflow requires the agent to execute arbitrary shell commands during the 'implement', 'test', and 'bugfix' phases. While these are standard for software development tasks, the specific commands and their targets are determined by plans derived from potentially untrusted requirement inputs, creating a risk if the input contains malicious instructions.

dev-spec