The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted conversation data and incorporates it into persistent filesystem documentation.
Ingestion points: The skill instructions specify using the "current conversation context" to produce a PRD (SKILL.md).
Boundary markers: There are no defined delimiters or instructions to treat the conversation context as untrusted data during the synthesis process.
Capability inventory: The skill has the capability to create directories and write files to the project's docs/specs/ path (SKILL.md).
Sanitization: No sanitization, escaping, or validation of the conversation context is performed prior to writing the output file, although a human review step is suggested in the process steps.

write-spec