The Agent Skills Directory

[PROMPT_INJECTION]: The skill facilitates an indirect prompt injection surface by using template placeholders for user input.
Ingestion points: Untrusted data enters the agent context via multiple ${input:...} placeholders (e.g., SpikeTitle, Owner, Category) within SKILL.md.
Boundary markers: Absent. The user-provided strings are directly interpolated into the YAML frontmatter and Markdown headers without delimiters or instructions to ignore embedded commands.
Capability inventory: While the skill itself only generates a file, the 'Tools Usage' section suggests the agent has access to runTasks, editFiles, vscodeAPI, and codebase. If an attacker provides malicious instructions within the input fields, a downstream agent might execute them using these tools.
Sanitization: There is no evidence of sanitization, validation, or escaping of the input content before it is written to the file system.

create-technical-spike