The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it accepts untrusted, free-form user input ("braindumps") and utilizes it to generate a plan for autonomous execution.
Ingestion points: Untrusted data enters the agent context in Phase 1, Step 1, where it is written to docs/plans/goal-analysis.md as the canonical reference for all planning agents.
Boundary markers: The prompts provided to sub-agents (Step 5 and Step 9 in SKILL.md) lack explicit delimiters or instructions to ignore embedded malicious content within the user-provided goals.
Capability inventory: Execution agents have the ability to modify the codebase and execute shell commands via the platform's agent spawning tools as described in orchestration-workflow.md.
Sanitization: There is no evidence of sanitization or validation of the user's input before it is incorporated into the execution plan.
[COMMAND_EXECUTION]: The skill explicitly instructs agents to bypass human-in-the-loop review cycles during the execution phase, increasing the risk of unintended or malicious operations being performed autonomously.
Evidence: SKILL.md (Step 10) states that Phase 2 requires "no human intervention" and that "agents make all decisions autonomously."
Evidence: The General Execution Agent Wrapper in agent-templates.md contains the directive "Do not wait for or request human input," which suppresses the user's ability to review or intercept potentially dangerous commands or file modifications.

team-executor