The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection vulnerability surface. During the 'L1: Context Research' phase (defined in references/L0-L1-context.md), the agent is instructed to use Glob, Grep, and Read tools to scan the local codebase, including READMEs, ADRs, and internal documentation. This untrusted content is then used to generate 'L2 Checkpoints' and 'Decisions', which are subsequently processed by an automated 'L2-reviewer' sub-agent. An attacker could place malicious instructions within project documentation to steer the implementation plan, manipulate the checkpoint scoring, or bypass the sub-agent's clarity review.
Ingestion points: Local codebase files, ADRs, and documentation read via Glob, Grep, and Read during the L1 phase.
Boundary markers: The instructions do not define any delimiters or system instructions to ignore embedded prompts within the ingested research data.
Capability inventory: The skill has access to Bash, Write, and Task (sub-agent orchestration) tools, enabling significant file system and process interaction.
Sanitization: No sanitization or validation logic is present to filter malicious content from research data before it is interpolated into subsequent prompts.
[COMMAND_EXECUTION]: The skill relies on an external CLI tool, hoyeon-cli, for core operations such as spec initialization, merging, and validation. The implementation instructions make frequent use of shell heredocs (e.g., hoyeon-cli spec merge ... --stdin << 'EOF') to pass dynamically generated JSON to the CLI. While these follow a structured pattern, they involve the execution of shell commands constructed from runtime data.

specify