The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes external source code and test outputs which are then used as context for subsequent agent actions.
Ingestion points: The skill reads target codebase files and test runner outputs in the Correctness and Clarity passes as described in SKILL.md and modules/pass-definitions.md.
Boundary markers: The instructions for subagents lack clear delimiters or specific warnings to ignore instructions embedded within the target code or test logs.
Capability inventory: The workflow involves high-capability tools, specifically Edit for code modification and Bash for running tests, which could be exploited if the agent follows malicious instructions from the codebase.
Sanitization: No sanitization or validation of the ingested code or test output is mentioned before processing.
[COMMAND_EXECUTION]: The skill uses the Bash tool to execute test runners like pytest during the Correctness pass. This is standard functionality for a developer-oriented tool and is considered safe within its intended context.

dorodango