The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection attack surface (Category 8) because it ingests untrusted data from external sources and processes it through a chain of agents with filesystem writing capabilities.
Ingestion points: The research-agent.md uses the WebSearch tool to retrieve case studies, competitor approaches, and practitioner insights from the internet based on the user's problem statement.
Boundary markers: The agent instructions lack explicit delimiters or instructions to ignore potential commands embedded in the retrieved web content, which could lead to subsequent agents (such as initiative-generator-agent) being influenced by malicious text found on searched pages.
Capability inventory: The skill manifest (SKILL.md) allows the use of Bash, WebFetch, and Read tools. The orchestrator instructions include writing results to the .agents/ directory and .agents/meta/out-of-scope/ paths.
Sanitization: No sanitization, validation, or filtering of the content retrieved from the web is performed before it is interpolated into the prompts of downstream agents.

solution-design