The Agent Skills Directory

[PROMPT_INJECTION]: The instructions include a directive to "Ignore spec.json's qaScenarios[]". While "ignore" is a keyword often associated with prompt injection, in this specific context it is a legitimate instruction for the AI to perform its intended task by generating original scenarios instead of reusing existing ones.
[COMMAND_EXECUTION]: The skill invokes local command-line tools like git and gh (GitHub CLI) to retrieve code diffs and pull request information. It also uses mkdir to create local directories for its output.
[INDIRECT_PROMPT_INJECTION]: This skill possesses an attack surface for indirect prompt injection because it processes content from project files (SPEC.md, spec.json) and external pull request data which could contain malicious instructions.
Ingestion points: The skill reads content from SPEC.md, spec.json, git diff output, and gh pr view output.
Boundary markers: The instructions do not define clear boundaries or provide warnings to the agent about ignoring embedded instructions within the processed data.
Capability inventory: The skill can read/write to the local file system and execute shell commands (git, gh, mkdir).
Sanitization: There are no explicit sanitization steps defined for the external data being processed.

qa-plan