The Agent Skills Directory

[DATA_EXFILTRATION]: The skill instructions direct the agent to read local project files, specifically CLAUDE.md and various artifacts within the .agents/ directory, such as spec.md and system-architecture.md. While no network exfiltration commands were detected, these instructions facilitate the exposure of project-specific metadata and architectural details to the model's context.
[PROMPT_INJECTION]: The skill implements a 'flywheel' mechanism in Phase 1 (Step 2 and Step 5) that reads from and appends to files in .agents/experience/{domain}.md. This creates a vulnerability to Indirect Prompt Injection. Ingestion points: Phase 1, Step 2 reads existing experience documents to inform current task scoping. Boundary markers: No boundary markers or 'ignore' instructions are used when interpolating this stored data into the prompt. Capability inventory: The skill can read project files and append user-supplied answers to files. Sanitization: There is no evidence of sanitization or validation performed on the user's answers before they are stored or subsequently read back into the prompt context.

preflight