The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from project documentation and git history to frame the debate context.
Ingestion points: Step 0.1 explicitly reads README files, architecture documentation, and product docs from the local environment.
Boundary markers: There are no explicit delimiters or instructions to ignore embedded commands within the ingested context files before they are passed to sub-agents.
Capability inventory: The skill possesses the capability to spawn parallel agents, perform web research, and write to local files (e.g., ARCHITECTURE.md, biz.md).
Sanitization: No sanitization or validation of the content read from project files is performed before interpolation into sub-agent prompts.
[DATA_EXFILTRATION]: The skill utilizes external web research to gather evidence for the debate, which involves sending descriptions of the decision topic to external tools.
Risk: If the decision topic or the project context (README, architecture docs) contains sensitive internal information, this data could be included in search queries sent to external search engines or websites during the research phase.
Context: This behavior is inherent to agents performing web research and does not appear to be an intentional attempt at data exfiltration.

decide