The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands by interpolating user-provided variables into a Bash call (e.g., Bash("spec.py \"$featureName\"")). This pattern is susceptible to command injection if the underlying agent platform does not perform strict escaping of shell metacharacters when interpolating variables.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) as it processes data from the local filesystem to guide its logic.
Ingestion points: The skill runs spec.py --read to fetch metadata, which parses directory names and file contents within the .start/specs/ and docs/specs/ directories.
Boundary markers: There are no explicit delimiters or instructions to the agent to treat the parsed TOML metadata as untrusted or to ignore embedded instructions.
Capability inventory: The skill possesses the capability to execute shell commands, create/modify files and directories, and hand off tasks to other document-specific skills.
Sanitization: While spec.py sanitizes input when creating new directories using a regex, the read_spec function used for status checks reads and outputs existing directory names and file paths verbatim, which could contain maliciously crafted strings designed to influence the agent's behavior.

specify-meta