The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill's primary function is to ingest and 'exactly' follow instructions from external plan files (Markdown artifacts). This creates a significant surface for indirect prompt injection where an attacker who can influence the contents of a plan (e.g., via a pull request or shared document) could insert malicious commands or instructions.
Ingestion points: Reads plan files (e.g., .md files) from the local repository or provided path.
Boundary markers: The skill does not define strict delimiters or 'ignore embedded instructions' markers for the plan content.
Capability inventory: The skill possesses the ability to execute shell commands (git, grep, curl, and arbitrary implementation tasks), write files to the .superpowers/ directory, and perform network operations.
Sanitization: No automated sanitization or validation of the plan content is performed beyond a manual 'critical review' by the agent.
[COMMAND_EXECUTION]: The skill facilitates the execution of arbitrary shell commands as part of the 'Execute Tasks' phase. It specifically instructs the agent to 'Follow each step exactly' from the plan, which could lead to the execution of dangerous system commands if they are present in the plan file.
[EXTERNAL_DOWNLOADS]: During the 'Freshness check', the skill instructs the agent to use curl to hit external APIs or files referenced in the plan to verify their state. This could be abused to perform Server-Side Request Forgery (SSRF) or exfiltrate data if a malicious plan provides a crafted URL.

executing-plans