The Agent Skills Directory

[PROMPT_INJECTION]: The skill presents an indirect prompt injection surface (Category 8) because it ingests and processes untrusted data from multiple external documents. * Ingestion points: It reads feature-specific documentation (e.g., tech-spec, architecture), source code files, git history, and request documents. * Boundary markers: The instructions do not include specific delimiters or warnings to the agent to disregard instructions embedded within these source materials. * Capability inventory: The skill can execute shell commands via the Bash tool and write files to the system, which could be misused if an injection is successful. * Sanitization: Although it features path normalization and secret redaction, it does not sanitize or filter natural language instructions found in the ingested text.
[COMMAND_EXECUTION]: The skill performs legitimate local command execution to fulfill its purpose. * It invokes a local script node scripts/resolve-feature-cli.js to handle feature context resolution. * It runs git log and git diff commands to collect timeline and implementation evidence. * All command executions are restricted by the allowed-tools configuration to authorized prefixes (git, node).

tech-brief