The Agent Skills Directory

[PROMPT_INJECTION]: The skill's architecture involves interpolating untrusted task descriptions from implementation plans directly into the prompts of subagents. This creates a potential surface for indirect prompt injection where a malicious plan could influence subagent behavior.
Ingestion points: implementer-prompt.md and code-quality-reviewer-prompt.md both ingest "Task N" text from external plan files.
Boundary markers: The prompt templates lack explicit delimiters (such as XML tags or dedicated block markers) to isolate untrusted task data from the subagent's core instructions.
Capability inventory: The subagents possess file system write access, the ability to execute shell commands (for testing), and git commit capabilities.
Sanitization: There is no evidence of automated sanitization or schema validation for the task content before interpolation.
Mitigation: The skill includes a robust, multi-stage review process (spec compliance then code quality) with an explicit instruction to reviewers to be skeptical of implementation reports, which serves as a strong guardrail against unauthorized or malicious code changes.

subagent-driven-development