The Agent Skills Directory

[PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill's primary function is to ingest and analyze untrusted user-provided data (referred to as "PM artifacts") which can contain malicious instructions.
Ingestion points: User-specified file paths from $ARGUMENTS or session context in SKILL.md.
Boundary markers: Absent. The instructions do not define delimiters or provide warnings to the agent to disregard instructions found within the reviewed artifacts.
Capability inventory: The agent can read multiple local files, invoke sub-agents (@agent-pm-critic), and produce structured YAML output intended for programmatic consumption by other tools or agents (as described in references/TEMPLATE.md).
Sanitization: No sanitization or validation of the artifact content is performed before the agent processes it as context.
[PROMPT_INJECTION]: Instruction Redirection. On non-Claude AI clients, the skill instructs the agent to "Execute the system prompt body in that file [subagents/pm-critic.md] as your operating instructions for this turn". This pattern explicitly shifts the agent's control flow to external file content. While the path is currently local to the repository, this mechanism bypasses the primary SKILL.md instructions and relies on the integrity of files in the subagents/ directory.

utility-pm-critic