The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructions explicitly direct the agent to utilize the Bash tool for repo investigation, including scanning directories and finding call sites. While the instructions emphasize a read-only approach, the use of a shell tool for investigation is a notable capability.- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as its core function involves reading and analyzing untrusted content from external codebases. This could allow malicious code to influence the research findings or the behavior of subagents.
Ingestion points: Untrusted codebase content is read during the discovery phase (Workflow Step 2) and the investigation loop (Workflow Step 4) using tools like Read, Grep, and Bash.
Boundary markers: The instructions do not specify the use of delimiters or boundary markers (such as XML tags) to isolate codebase content when it is processed by the primary agent or passed to the 'Explore' subagent.
Capability inventory: The skill has access to powerful capabilities including Bash execution, writing persistent logs and reports to the local file system (.plans/research/), and spawning autonomous subagents (Agent tool).
Sanitization: There are no requirements for sanitizing, escaping, or validating the content retrieved from the codebase before it is synthesized into findings or reports.

deep-research-with-codebase