The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted PRD (Product Requirements Document) files to determine test scope and requirements.
Ingestion points: PRD files identified in Workflow Step 1 and templates in references/自动化测试封装指南.md.
Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands within the ingested PRD data.
Capability inventory: The skill has capabilities to create directories (mkdir) and write files (cat) via shell commands.
Sanitization: No evidence of sanitization or validation of the content extracted from PRDs before it is used to influence agent actions or file content.
[COMMAND_EXECUTION]: The skill executes shell commands using variables that may be derived from external data, presenting a potential path traversal or command injection risk.
Evidence: In SKILL.md and _archive/scaffold_prd_test_pack.sh, the skill uses variables such as $version and $project_root to construct file paths for mkdir and cat operations. If a malicious PRD provides a version string containing path traversal characters (e.g., ../../), the agent could be manipulated into creating files or directories outside the intended project structure.

prd-auto-test-loop