The Agent Skills Directory

[PROMPT_INJECTION]: The skill processes untrusted external data (source code) during Phase 1 (Codebase Analysis), which establishes a surface for indirect prompt injection. Malicious instructions embedded in a processed codebase could attempt to influence the agent's behavior during the curriculum design or module writing phases.
Ingestion points: SKILL.md (Phase 1) specifies reading all key files from a cloned GitHub repository or local directory.
Boundary markers: No specific delimiters or "ignore instructions" warnings are defined for the analysis of the ingested code.
Capability inventory: The skill possesses the ability to read files, create directories, execute shell commands (git clone, bash), and write HTML/JS files.
Sanitization: No explicit sanitization or content validation for the source code being analyzed is documented.
[COMMAND_EXECUTION]: The skill instructs the agent to perform shell operations, including git clone <url> with user-provided URLs and executing a local assembly script (bash build.sh). While these are core to the skill's workflow, they represent a point where unvalidated input (such as a malformed repository URL) could be interpolated into a shell command.
[EXTERNAL_DOWNLOADS]: The generated course template (found in references/_base.html and references/styles.css) references the Google Fonts CDN (fonts.googleapis.com). This is a well-known, trusted service used for legitimate design purposes and does not pose a security risk.

codebase-to-course