The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection because it is designed to ingest and process untrusted data from the user's local environment. While inherent to the skill's purpose as a context-aware partner, this represents a potential vector for malicious data to influence the agent.
Ingestion points: Phase 1 (reads README, existing design docs, git history, and codebase) and Phase 2.5 (searches prior design docs).
Boundary markers: The skill does not define specific delimiters or instructions to ignore embedded commands within the files it reads.
Capability inventory: The skill can perform web searches (Phase 2.75), invoke subagents or second models (Phases 3.5, 5, and the Spec Review Loop), and generate HTML files (Visual Sketch).
Sanitization: No sanitization or escaping of the ingested file content is performed before it is used in prompts or shared with subagents.
[DATA_EXFILTRATION]: The skill performs external web searches in Phase 2.75 to gather 'Landscape Awareness'. Security is managed via a mandatory 'Privacy gate' that requires explicit user approval. Furthermore, it instructs the agent to use generalized category terms instead of specific product names or proprietary concepts to prevent the exposure of stealth ideas.
[COMMAND_EXECUTION]: The skill maintains a 'HARD GATE' that explicitly prevents it from executing implementation commands, writing code, or scaffolding projects, effectively limiting its operational scope to design and brainstorming.

office-hours