The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes a local script node scripts/resolve-feature-cli.js using the Bash(node:*) tool. User input from $ARGUMENTS is passed to this script via the --feature parameter. While the skill instructs the agent to handle these as separate tokens, there is a inherent risk of argument injection if the underlying tool invocation or the script itself does not properly sanitize these inputs.
[DATA_EXFILTRATION]: The skill performs 'Repo-wide grep' and reads configurations, workflows, and logs to populate the runbook. While references/discovery-heuristics.md defines specific redaction rules for API keys, tokens, and credentials (replacing them with placeholders like ${ENV_VAR_NAME}), the broad read access required for monitoring signals and SRE references could lead to the exposure of internal metadata if redaction patterns are not exhaustive.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests and processes untrusted data from the repository (tech-specs, architecture docs, and source code) to generate its output.
Ingestion points: Reads technical specifications, architecture diagrams, and arbitrary repository files via Read, Grep, and Glob tools.
Boundary markers: The skill uses a structured markdown template and provenance manifest but lacks explicit delimiters or instructions to ignore embedded commands within the processed documentation.
Capability inventory: The agent has the ability to Write and Edit files, and execute Bash commands for git operations and node scripts.
Sanitization: While the skill implements secret redaction, it does not explicitly sanitize the extracted text to prevent instructions embedded in documentation from influencing the agent's behavior during the generation process.

runbook