The Agent Skills Directory

[DATA_EXFILTRATION]: The skill instructions in Phase 1.1 (Auto-Discovery) explicitly direct the agent to access and extract data from sensitive system configuration files. Specifically, it scans ~/.ssh/config to gather SSH aliases, hostnames, and IP addresses for the SERVER_INVENTORY context key. It also extracts registry URLs and potentially sensitive data from .npmrc and .env.example files.
[PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection. It implements a multi-step chain where untrusted data from the local environment is used to influence sub-agents.
Ingestion points: Untrusted data enters the agent context through the scanning of project files (e.g., README.md, package.json, CODEOWNERS, and source code structures) during Phase 1.1.
Boundary markers: The skill lacks any boundary markers or instructions for sub-agents to ignore embedded directives within the gathered context.
Capability inventory: The coordinator uses the Agent tool to delegate tasks to five sub-workers (ln-111 through ln-115), which have the capability to write files to the project directory and perform further processing.
Sanitization: There is no evidence of sanitization, escaping, or validation of the content extracted from project files before it is interpolated into the prompts for sub-agents.
[COMMAND_EXECUTION]: The skill uses shell commands and MCP tools to gather project information and research best practices. This includes executing git log to extract contributor information and using mcp__Ref__ref_read_url to fetch content from external websites during the research phase.

ln-110-project-docs-coordinator