pub async fn process_skill_content(content: &str, ctx: &PromptContext) -> StringExpand description
Process a skill’s Markdown body: substitute variables, then execute inline commands.
§Security
To prevent user-supplied arguments from injecting new commands:
- All command regions are extracted FIRST from the original content.
- Variable substitution runs only on non-command text (placeholders protect command regions from both substitution and injection).
- After substitution, the result is scanned for any NEW command markers. If found, substitution is rejected and the content is returned without command execution.
- Original commands are executed and their output replaces the placeholders.