The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill processes untrusted external data such as project README files, existing documentation, and user-provided fragments to determine task boundaries and execution steps. This creates an attack surface where malicious content in a project's documentation could attempt to influence the agent's workflow logic.
Ingestion points: Reads README, 现有文档 (existing documents), and arbitrary user input fragments.
Boundary markers: The skill uses a structured 'Dao-Shu-Fa' template to segment data, which provides a logical boundary but is not an explicit security delimiter.
Capability inventory: The skill can perform file operations and trigger code implementation via the implement-code tool.
Sanitization: No specific sanitization or validation of external document content is described in the workflow instructions.
[COMMAND_EXECUTION]: While the skill orchestrates execution through tools like implement-code, it explicitly mandates that destructive, irreversible, or high-risk actions (e.g., major refactoring, external system access, or security-related changes) must receive explicit user confirmation before proceeding.

harness-dao