The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the ingestion of untrusted analysis reports. Malicious instructions embedded in a plugin analysis report could potentially override the agent's behavior during the synthesis process.
Ingestion points: The skill reads raw analysis reports from the analyze-plugin workflow, as defined in SKILL.md and references/input-contract.md.
Boundary markers: There are no explicit instructions or delimiters (such as "ignore embedded instructions") defined in the input-contract.md to protect the synthesis logic from data-driven instructions.
Capability inventory: The skill is granted Bash, Read, and Write permissions. It is explicitly instructed to modify core framework files, including scaffold.py, audit.py, and SKILL.md templates (documented in references/improvement-mapping.md).
Sanitization: No sanitization or validation of the input analysis content is mentioned in the processing steps, increasing the risk that a malicious report could trigger unintended file modifications or command execution.

synthesize-learnings