The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests and processes untrusted data to drive task orchestration.
Ingestion points: User-provided task descriptions (Phase 1) and subtask artifacts stored in ./projects/<id>/subtasks/T-N/artifacts/ (Phase 5/6/7).
Boundary markers: Absent; the workflow lacks explicit instructions to ignore or isolate potential commands embedded within ingested artifacts.
Capability inventory: Uses sessions_spawn for subagent creation and performs file system writes across various project management files (PROJECT.md, tasks.json, progress.md).
Sanitization: Absent; there is no evidence of validation or sanitization for external content before it is interpolated into subagent prompts or documentation.
[SAFE]: No credentials, hardcoded secrets, or sensitive file paths (like .ssh or .env) are accessed. All file operations are restricted to the local ./projects/ directory.
[SAFE]: All orchestration operations use platform-native tools (sessions_spawn) and respect provided whitelists (allowAgents). No remote code execution or external downloads from untrusted sources are performed.

complex-task