The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is instructed to infer and execute shell commands from the local repository, including 'app start command', 'focused test command', and 'validation commands'. This creates a risk if the repository contains malicious configuration files (e.g., package.json scripts) that the agent might execute.
[CREDENTIALS_UNSAFE]: The workflow requires the agent to identify and use 'required env vars or credentials' to exercise the application. While necessary for testing, this grants the agent access to potentially sensitive local secrets which are then used during command execution.
[PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by ingesting untrusted data from multiple sources.
Ingestion points: The skill reads docs/features/<feature-slug>/uat.md, plan.md, issues.md, and project source code (SKILL.md).
Boundary markers: There are no explicit instructions to use delimiters or ignore instructions embedded within the processed documentation or code.
Capability inventory: The skill can execute shell commands (start/test/validate) and write to the file system (updating uat.md).
Sanitization: No sanitization or validation logic is specified for the content read from external files before it is processed or used to generate context for other tools like $candango-executor.

candango-uat-runner