The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted code content from the user's repository.
Ingestion points: The skill uses localGetFileContent and localSearchCode to read and analyze file contents from the user's workspace during target acquisition and sin inventory phases.
Boundary markers: No specific boundary markers or instructions to ignore instructions embedded within the code comments or strings are defined in the execution flow.
Capability inventory: The skill has significant capabilities, including reading any file in the workspace and modifying files during the "Resurrection" phase.
Sanitization: No explicit sanitization or filtering of the processed code content is described before it is processed by the LLM.
[COMMAND_EXECUTION]: The skill has the capability to modify local source code files to apply recommended fixes.
Evidence: The "Resurrection" phase (Phase 6) in SKILL.md explicitly details modifying files, deleting lines, and adding lines based on user-selected fixes.
Mitigation: The skill includes a "Wait for Consent" rule and a specific user checkpoint (Phase 5) before any modifications are executed.
[DATA_EXFILTRATION]: The skill is designed to search for and expose sensitive data within the user's own codebase.
Evidence: The "Sin Registry" in references/sin-registry.md contains search patterns for hardcoded secrets such as password, api_key, secret, and token.
Context: While this involves accessing sensitive data, it is a core feature of the skill's security auditing purpose and does not include mechanisms for unauthorized external transmission.

octocode-roast