The Agent Skills Directory

[PROMPT_INJECTION]: The skill has a significant attack surface for indirect prompt injection because it is designed to read and "thoroughly" analyze untrusted external documents provided by the user.
Ingestion points: The skill reads all files placed in the proposals/{slug}/terms/ directory during Phase 4.
Boundary markers: Absent. There are no instructions or delimiters used to prevent the agent from following malicious commands embedded within the RFP or TOR documents.
Capability inventory: The skill can create and write to files, read local files, and execute shell commands via Pandoc.
Sanitization: No sanitization or filtering is applied to the content of the ingested documents before the agent processes them for opportunity analysis and drafting.
[COMMAND_EXECUTION]: The skill executes shell commands using pandoc to compile the final proposal documents. While the skill includes instructions to sanitize proposal names into safe directory slugs (lowercase, hyphens), the execution of shell commands based on workspace content remains a capability that could be targeted if indirect injection occurs.

proposal-architect