The Agent Skills Directory

[DATA_EXPOSURE]: The skill includes a 'discovery' module (scripts/lib/discovery.py) that accesses local SQLite databases and JSONL history files belonging to other AI tools (Cursor, Trae, Claude Code, and Codex). This allows the agent to extract historical conversation data to build product context. While this involves reading sensitive user data from the filesystem, it is the primary documented purpose of the /prd-scan command and is handled locally without external transmission.
[COMMAND_EXECUTION]: The skill uses subprocess.run across multiple scripts (scripts/claude-capture-hook.py, scripts/remove-prd-helper.py, modules/collect/scripts/collect-control.py) to orchestrate its workflow. This includes managing installation hooks, executing session scanners, and triggering uninstallation processes. These executions are scoped to local scripts provided within the skill package.
[PROMPT_INJECTION]: The skill is designed to ingest untrusted data from external 'passive' materials (e.g., meeting notes, customer feedback) and historical session logs to perform 'Refinement' tasks. This represents an indirect prompt injection surface where malicious instructions embedded in requirement documents could influence the agent's behavior during the summary or generation phase. However, the skill provides structural checks and templates to mitigate accidental obedience.
Ingestion points: Data is read from docs/prd-helper/01-collect/passive/ and local tool history databases (discovery.py).
Boundary markers: The skill instructions emphasize saving raw input and using specific templates, though explicit 'ignore embedded instructions' markers are not consistently present in all prompt templates.
Capability inventory: The skill possesses file-writing capabilities and command execution via subprocess.run in orchestration scripts.
Sanitization: Content is indexed and hashed for deduplication, but there is no explicit sanitization of natural language content for embedded instructions.

prd-helper