The Agent Skills Directory

[COMMAND_EXECUTION]: Step 5.4 executes shell commands including git init, git add, and git commit within the target_path directory. Since this path can be customized by the user in Step 1.4, there is a risk of command injection if the user-provided string contains shell metacharacters and is not properly sanitized before execution.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its data ingestion points. In Step 2 and Step 6.1.3, the skill reads content from external feature specifications (docs/features/*.md) and reference implementation plans (planning/*/plan.md) to provide context for sub-agents. Malicious instructions embedded within these files could manipulate the sub-agent's behavior during plan generation. Evidence Chain: 1. Ingestion points: SKILL.md (Step 2 and 6.1.3) reads external markdown and JSON files. 2. Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the sub-agent prompts. 3. Capability inventory: The skill performs file writes, directory creation (mkdir), and shell execution (git). 4. Sanitization: No evidence of input validation or escaping for the ingested file content.

port