The Agent Skills Directory

[COMMAND_EXECUTION]: The skill performs shell command interpolation using unvalidated user input, which can lead to arbitrary code execution if a malicious slug is provided.
Evidence: In SKILL.md, the $SLUG variable is passed directly to go run ../../scripts/cmd/assess, go run ../../scripts/cmd/compound retrieve, and git commit -m without any instructions for the agent to sanitize the input first.
[COMMAND_EXECUTION]: Untrusted keywords extracted from external documents are used in shell-based search operations.
Evidence: Phase 2.5 in SKILL.md uses grep -r with keywords derived from the feature description, which could be exploited if those keywords contain shell metacharacters.
[PROMPT_INJECTION]: The skill processes external files that may contain instructions designed to override agent behavior.
Ingestion points: .agents/products/value-propositions/<slug>.md and global context files like ARCHITECTURE.md.
Boundary markers: None present to distinguish instructions from the data being processed.
Capability inventory: High-risk capabilities including shell command execution (go run, grep, git), file system writes, and UI generation via StitchMCP.
Sanitization: No mechanism is described to filter or escape instructions within the ingested data.

product-prd