The Agent Skills Directory

[PROMPT_INJECTION]: The skill defines a protocol for the agent to ingest task specifications, reports, and states from external data sources such as bead descriptions and comments.
Ingestion points: As documented in references/artifact-protocol.md, the agent is instructed to read content using br show <id> --json and br comments list <id> --json.
Boundary markers: The protocol utilizes specific header and footer markers (e.g., ---ARTIFACT:report:v1--- and ---END_ARTIFACT---) to delimit artifacts, which provides basic structure but can be spoofed by attackers to inject malicious instructions into the agent's context.
Capability inventory: The agent is expected to use the br and bv CLI tools to manage task lifecycles, change statuses, and update metadata based on the data it processes.
Sanitization: The reference materials do not specify any sanitization, filtering, or validation logic for the content within these artifacts to prevent the agent from following embedded instructions.

beo/reference