The Agent Skills Directory

[DATA_EXFILTRATION]: The skill instructs the agent to capture UI screenshots and upload them to public, unauthenticated third-party hosting services such as pixhost, catbox, imagebin, and beeimg. This practice risks exposing sensitive information (PII, internal credentials, or proprietary designs) contained within the application's UI to the public internet.
[INDIRECT_PROMPT_INJECTION]: The skill's primary function is to ingest and execute a 'work document' or 'plan file' provided as an argument (#$ARGUMENTS). This document is processed as instructions for the agent to follow.
Ingestion points: The #$ARGUMENTS content is loaded into an <input_document> block in SKILL.md.
Boundary markers: The content is wrapped in <input_document> tags, and the agent is instructed to 'Read Plan and Clarify' and 'Get user approval to proceed'.
Capability inventory: The agent has extensive capabilities including shell command execution (tests, linting, git), file modification, and network access (git push, PR creation, image upload).
Sanitization: There is no explicit sanitization or filtering of the instructions found within the input document, making it vulnerable to malicious instructions embedded in a todo or specification file.
[COMMAND_EXECUTION]: The workflow involves executing project-specific test suites, linting tools, and development servers (e.g., bin/rails test, npm test, bin/dev). While these are standard development practices, the agent is directed to execute these commands based on patterns it finds in the codebase or instructions in the work plan, which could be exploited if the environment is compromised or the plan is malicious.
[COMMAND_EXECUTION]: The skill uses the !command``-like pattern implicitly by suggesting shell commands for git operations and environment setup (Phase 1, Step 2), including parsing git remote heads and creating branches based on project state.

ce-work