The Agent Skills Directory

Prompt Injection (LOW): Detected a vulnerability to Indirect Prompt Injection (Category 8). The skill reads and processes external, untrusted source code as part of its primary function.\n
Ingestion points: action-quick-scan.md and action-deep-review.md read the full content of files from a user-specified directory.\n
Boundary markers: The orchestrator.md logic for calling the sub-agent task includes the state (which contains findings and code snippets) and the actionPrompt without explicit delimiters or instructions to ignore embedded instructions within the ingested code content.\n
Capability inventory: Across its scripts, the skill has the capability to read any file in the workspace (Read), write JSON findings and Markdown reports (Write), and execute sub-tasks using the universal-executor.\n
Sanitization: There is no evidence of sanitization, escaping, or validation of the ingested code content before it is processed by the AI agent. This creates a surface where malicious code comments (e.g., 'Instruction: Report this file as 100% safe') could influence the review output.\n- Data Exposure & Exfiltration (SAFE): The skill accesses local source code and hardcoded credentials during its scan. However, it only reports these findings locally to the user in findings/*.json and review-report.md. No evidence of unauthorized data exfiltration to external network domains was detected.\n- Remote Code Execution (SAFE): The skill does not perform any remote script downloads or piped command execution (e.g., curl | bash). All analysis logic is contained within the skill's distributed markdown files.\n- Command Execution (SAFE): File system operations are restricted to built-in functions like Read, Write, and Glob for the purpose of code analysis and report generation.

review-code