The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs shell commands using user-supplied arguments ($ARGUMENTS) in SKILL.md and steps/00-initialization.md. Commands such as mkdir -p .claude_resolve/{ticket-id} and ls -1 .claude_resolve/ incorporate these inputs without robust sanitization, creating a potential surface for command injection.\n- [DATA_EXFILTRATION]: In steps/01-fetch-ticket.md and steps/06-implement.md, the skill searches for application URLs by reading from sensitive environment files including .env, .env.local, and .env.development. Accessing these files is a security concern as they typically contain sensitive credentials or internal configuration that should not be exposed to subagents.\n- [PROMPT_INJECTION]: The skill possesses a significant indirect prompt injection surface by fetching ticket content from external providers (YouTrack, GitHub) and interpolating it into subagent prompts in steps/01-fetch-ticket.md, steps/04-create-plan.md, steps/06-implement.md, and steps/08-review.md. While it uses structural markers (e.g., <ticket>) for isolation, the lack of explicit sanitization for external content before interpolation into prompts is a risk factor.\n- [COMMAND_EXECUTION]: The orchestrator executes arbitrary shell commands defined in local project files such as CLAUDE.md and .claude/ticket-config.json (specifically for linting and testing) and the generated plan.md. This represents a dynamic execution risk if those project files contain malicious instructions.

resolve-workflow