The Agent Skills Directory

[PROMPT_INJECTION]: The skill ingests untrusted data from task descriptions and external references like issues, PRs, and URLs. This creates a surface for indirect prompt injection where instructions embedded in these resources could manipulate the agent's behavior during task implementation. * Ingestion points: Task descriptions from $ARGUMENTS and external URLs, Issues, and PRs mentioned in the parsing step. * Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are specified. * Capability inventory: Extensive file system modification capabilities and shell command execution. * Sanitization: No sanitization or validation of the ingested external content is defined in the workflow.
[COMMAND_EXECUTION]: The workflow involves executing local development tools such as linters, type checkers, and full test suites as part of the implementation path. Since these tools typically execute code defined within the project context (e.g., test scripts, build hooks, or configuration files), the agent could inadvertently execute malicious commands if the project files it is working on are compromised or contain malicious logic.

work