The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/pr_analyzer.py executes Git commands (git diff, git log) via subprocess.run. The --base and --head parameters are user-supplied and interpolated directly into the command list. While shell=True is not used, Git commands are susceptible to argument injection. A malicious user could provide crafted strings (e.g., flags like --ext-diff) to execute arbitrary code or exfiltrate data through Git's internal mechanisms.
[COMMAND_EXECUTION]: The scripts/review_report_generator.py script invokes other local Python scripts using subprocess.run. Although it passes arguments as a list, the repo_path is sourced from user input. Without strict validation of the path string, this pattern could be abused if the underlying scripts are manipulated or if the path itself contains sequences that the subprocess handler might misinterpret in certain environments.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and processing external, untrusted data (source code and git diffs) from the repository being reviewed. A malicious actor could embed instructions within code comments or PR documentation that attempt to subvert the agent's review logic or safety guidelines.
Ingestion points: scripts/code_quality_checker.py reads file content using open().read(); scripts/pr_analyzer.py reads git diffs using subprocess.run.
Boundary markers: The scripts do not implement delimiters or 'ignore instructions' markers when passing the extracted code content to the agent for analysis.
Capability inventory: The skill has the ability to execute shell commands (via git), read arbitrary local files, and write report files to the filesystem.
Sanitization: There is no evidence of sanitization or filtering applied to the code content before it is processed by the agent's analysis logic.

code-reviewer