The Agent Skills Directory

[PROMPT_INJECTION]: The skill instructions include a directive to 'Keep detailed inner reasoning private unless the user explicitly asks for it' (SKILL.md, Rule 9). This instructs the agent to conceal its internal decision-making process from the user by default, which can reduce transparency during complex or high-stakes tasks.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core logic and execution workflows.
Ingestion points: The framework explicitly instructs the agent to 'Gather the minimum grounding set' by reading 'current files, docs, commands, errors, or tests' (references/foundations/core-loop.md). These external, potentially untrusted sources provide entry points for malicious instructions.
Boundary markers: The instructions lack explicit requirements for using boundary markers or delimiters when processing this external data, increasing the risk that the agent may interpret data as instructions.
Capability inventory: While the skill itself is tool-agnostic and contains no code, the reasoning framework is designed to direct the agent's use of its entire existing toolset (subprocess calls, file writes, etc.) based on the 'Continuous Execution' loop (references/workflows/continuous-execution.md).
Sanitization: There are no instructions for sanitizing or validating external content before it is incorporated into the agent's reasoning process.

think-deeper