The Agent Skills Directory

[CREDENTIALS_UNSAFE]: In references/stages/60-implement.md, the skill instructs the agent to execute export GH_TOKEN=$(gh auth token). This command harvests the user's active GitHub session token and exposes it to the environment, making it available to the agent and any background processes it initiates.
[EXTERNAL_DOWNLOADS]: Several files (references/stages/10-explore.md, references/stages/60-implement.md, references/getting-started.md) provide instructions for installing external tools from repositories not recognized as trusted vendors, such as AI-Substrate/flow_squared (via uvx), AI-Substrate/minih (via git clone), and AI-Substrate/harness-engineering (via npx).
[PROMPT_INJECTION]: The skill's architecture involves specialized subagents that are given prompts containing raw user input and repository content (Ingestion points: 10-explore.md, 20-plan.md, 35-adr.md, 70-review.md). These prompts lack boundary markers to isolate the data (Boundary markers absent) and do not describe any sanitization processes (Sanitization absent). Given the agent's capabilities to write files and execute commands (Capability inventory), this creates a significant surface for indirect prompt injection.
[COMMAND_EXECUTION]: The skill directs the agent to perform extensive shell command execution for repository detection, git history analysis, and managing background processes like the minih companion agent.

the-flow