The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool to execute copilot commands by directly embedding user-provided strings for the target path (<target_dir>), model selection (<security_model>), and effort level (<level>). The instructions in SKILL.md under the 'Execution' section demonstrate a pattern where user-controlled arguments are passed to a shell environment without any sanitization or validation logic. This allows an attacker to supply malicious input containing shell metacharacters (e.g., ;, &&, |, or backticks) to execute arbitrary code on the underlying system.\n- [DATA_EXFILTRATION]: In the 'Security Review' prompt section, the skill explicitly directs the agent to look for 'confidential information exposure risks (API keys, credentials, etc.)'. This design pattern causes the agent to systematically read sensitive secrets from the project's source code and output them into the conversation logs or integration report, resulting in the exposure of private credentials to the chat context and potentially to external logging systems.\n- [PROMPT_INJECTION]: The skill processes external files from a user-specified target directory using the Copilot CLI. Since the skill lacks boundary markers or instructions to ignore embedded commands within the processed data, it is vulnerable to indirect prompt injection. Malicious instructions hidden in code comments or metadata within the analyzed directory could influence the output of the Copilot CLI or trick the agent into performing unintended actions when it parses and integrates the results into the final report. Evidence of this risk exists in the ingestion of the <target_dir> content into the analysis workflow without sanitization or defensive framing.

copilot-review