The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses a bash command template to invoke external CLI tools: {cli_command} "{prompt}" {关键参数}. This design executes shell commands with variables populated from external inputs, which is a significant security risk.
Evidence: Identified in SKILL.md under the "调用外部 agent" section.
[PROMPT_INJECTION]: The skill is vulnerable to command injection through its use of shell interpolation. Because the {prompt} variable includes the content of files being reviewed, an attacker can include shell metacharacters (such as backticks, semicolons, or command substitutions) in a source file to execute arbitrary commands on the host system when the review is triggered.
Evidence: SKILL.md demonstrates that the "评审上下文" (review context) is inlined into the shell-executed prompt.
[DATA_EXFILTRATION]: The skill automatically collects project context, including file contents and background constraints, and sends them to external CLI tools (claude and codex). This involves transmitting local code and potentially sensitive business logic to third-party AI service providers.
Evidence: The execution flow in SKILL.md (Step 1 and Step 4) describes gathering and sending the "最小充分上下文" (minimum sufficient context) to external agents.
[PROMPT_INJECTION]: An indirect prompt injection surface is present where untrusted data from the codebase can influence the behavior of the reviewing agent.
Ingestion points: SKILL.md (Step 1) reads files from the local directory and conversation history based on the user's request.
Boundary markers: The prompt template in assets/review-prompt.md uses markdown headers but lacks strict delimiters or instructions to the model to ignore instructions contained within the code being reviewed.
Capability inventory: The skill has the capability to execute shell commands and read the filesystem.
Sanitization: No sanitization, escaping, or validation of the file content or shell command variables is performed.

cross-review