The Agent Skills Directory

[PROMPT_INJECTION]: The skill is designed to ingest and process a wide variety of untrusted external data to diagnose failures. This creates a surface for indirect prompt injection where malicious instructions hidden in logs or specifications could manipulate the agent.
Ingestion points: The workflow in SKILL.md identifies sources including user prompts, shell commands, specmatic.yaml, CI logs, build output, git diffs, and runtime logs.
Boundary markers: Absent. The instructions do not specify the use of delimiters or 'ignore' instructions for the processed data.
Capability inventory: The agent is authorized to execute docker commands, pull images, write files to the local filesystem for reproductions, and suggest or implement code fixes.
Sanitization: Absent. There are no instructions for validating or sanitizing the content of the logs or specifications before processing.
[COMMAND_EXECUTION]: The skill requires the agent to pull Docker images (e.g., specmatic/enterprise) and run shell commands. While these resources are associated with the vendor, the agent constructs these commands dynamically based on environment data and user-provided configuration.
[CREDENTIALS_UNSAFE]: The instructions direct the agent to mount the $HOME/.specmatic directory into Docker containers to provide license access for the Enterprise version. This directory contains sensitive license keys or configuration data. While required for the vendor's software to function, mounting this path into containers while processing untrusted logs presents a potential for credential exposure.

debug-specmatic-failures