The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from user-provided paths and the contents of design documents, which are then used to build prompts for subagents.
Ingestion points: User-provided $ARGUMENTS (Step 1) and document files discovered in docs/design/*.md and docs/ui-spec/*.md.
Boundary markers: Present. The skill uses a "Scope boundary for subagents" block appended to subagent prompts to help constrain their behavior.
Capability inventory: Executes shell commands (ls, git commit, rm), writes task files to the filesystem, and orchestrates multiple subagents.
Sanitization: Absent. There is no evidence of validation or sanitization for the ingested document content or the provided arguments.
[COMMAND_EXECUTION]: The Bash script in Step 1 executes ls $ARGUMENTS without proper quoting or sanitization of the user-supplied variable. This creates a command injection surface where shell metacharacters (e.g., ;, &&, |) in the arguments could be used to execute unintended commands.

recipe-add-integration-tests