The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and acts upon instructions provided in markdown files such as .ai-factory/PLAN.md, ARCHITECTURE.md, and RULES.md. A malicious actor could provide a project containing these files with embedded instructions to perform unauthorized actions during the implementation phase.
Ingestion points: Reads various project-specific markdown artifacts using Read, Glob, and Grep tools (specifically mentioned in Steps 0.1, 0.2, and 3.1).
Boundary markers: The skill does not implement specific delimiters or 'ignore' instructions for the content read from these files.
Capability inventory: The skill has access to powerful tools including Write, Edit, and Bash for shell execution, as well as several mcp__handoff__* tools for remote synchronization.
Sanitization: No sanitization or validation of the task descriptions or rules content is performed before the agent processes them.
[COMMAND_EXECUTION]: The skill frequently uses the Bash tool to perform development-related operations.
Evidence: It executes commands for environment check (printenv), git repository management (git status, git branch, git merge, git worktree, etc.), and file system management (rm <plan-path>). These commands are logically tied to the skill's purpose but represent a powerful capability that could be abused if the agent is successfully injected.

aif-implement