The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8).
Ingestion points: Untrusted findings data is read from JSON files in the .context/findings/ directory (SKILL.md Step 1).
Boundary markers: The prompt template for Conductor (Step 8b) and the Linear issue template (WORKFLOW.md) do not use robust delimiters or instructions to ignore embedded commands within the injected finding data.
Capability inventory: The skill possesses significant capabilities, including executing subprocesses (git, open, testCommand), writing files (applying code fixes and updating .fixes.md), and performing network operations via the Linear MCP and other PR creation tools.
Sanitization: Although Rule 11 mandates redacting credentials from the evidence field, there is no evidence of sanitization for other text fields (like suggestedFix, repro, or title) to prevent malicious instructions from being interpreted by the agent or spawned workspaces.
[COMMAND_EXECUTION]: The skill executes arbitrary shell commands through the user-configured testCommand (e.g., npm test) and various git operations. It also uses the open command on macOS to launch deep links. These functionalities depend on the integrity of the configuration and the consumed findings data.
[REMOTE_CODE_EXECUTION]: In 'Per-finding mode' (Step 8b), the skill assembles and executes conductor:// deep links. These links contain encoded instructions (prompts) for a separate agent context. This mechanism enables the skill to delegate complex, dynamically-generated instructions to a fresh environment, which could be exploited if the source findings file is malicious.

candid-chrome-qa-fix