The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its processing of the input plan file. The instructions explicitly state that the 'Plan file is source of truth' and that the agent must 'NEVER SKIP TASKS' and 'fully implement' every item. This high level of obedience to external data allows an attacker who can influence the plan file to execute arbitrary tasks within the agent's environment.
Ingestion points: The markdown plan file provided via the <path/to/plan.md> argument.
Boundary markers: None. The agent parses the markdown content directly into its task list without clear delimiters or warnings to ignore embedded instructions.
Capability inventory: The skill can execute shell commands (git, pilot CLI), modify files, use browser automation tools (playwright-cli), and invoke other skills.
Sanitization: None. The skill does not validate the content of the tasks against a safety policy before execution.
[COMMAND_EXECUTION]: The skill performs multiple shell operations, including git commands (status, diff, branch, commit), network port inspection (lsof), and execution of a custom binary located at ~/.pilot/bin/pilot. It also dynamically triggers other skills based on the Type: field extracted from the plan file, which could be manipulated to call unintended functions.
[COMMAND_EXECUTION]: There is a potential for command injection via the $ARGUMENTS placeholder. If the execution environment does not safely handle the interpolation of the plan file path into the shell context, an attacker could provide a filename containing shell metacharacters to execute arbitrary code on the host system.

spec-implement