The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it requires the agent to ingest and follow instructions from an external task tracking system.
Ingestion points: The agent reads external task data (titles, descriptions, acceptance criteria, and notes) via backlog task <id> --plain as instructed in SKILL.md and references/task-workflow.md.
Boundary markers: The instructions lack delimiters or safety warnings to treat task content as untrusted or to ignore embedded instructions that might contradict the agent's core guidelines.
Capability inventory: The agent is granted permission to execute backlog CLI commands and is expected to perform broader "Code implementation" (referenced in SKILL.md) based on the task data it reads.
Sanitization: No validation or filtering is applied to the task data before the agent processes and acts on it.
[COMMAND_EXECUTION]: The skill's primary functionality is built around the execution of the backlog CLI tool.
The agent is instructed to use a variety of subcommands (create, edit, search, list) to interact with the task database.
While this is the intended use of the skill, it represents a command execution surface that processes arguments derived from external task content.

backlog-md