The Agent Skills Directory

PROMPT_INJECTION (LOW): The skill exhibits an Indirect Prompt Injection attack surface (Category 8). It instructs agents to ingest and process untrusted external data (codebase files and diffs) which is interpolated into prompts via variables like {JSON_PACKET} and {FILES_AND_DIFFS}.
Ingestion points: Untrusted data enters the agent context through the {JSON_PACKET} (in references/personas.md), {PACKET} (in references/cli-spawning.md), and {FILES_AND_DIFFS} (in references/quick-mode.md) variables.
Boundary markers: The prompt templates provided in references/personas.md and references/quick-mode.md do not utilize delimiters (e.g., XML tags or unique markers) or specific 'ignore instructions within data' warnings to prevent the LLM from obeying instructions embedded in the analyzed code.
Capability inventory: The 'Explorer' sub-agents are explicitly granted access to high-privilege tools including Bash, Glob, Grep, and Read (as documented in references/explorers.md).
Sanitization: There is no evidence of sanitization or escaping logic to handle malicious payloads within the files or diffs being analyzed.
COMMAND_EXECUTION (SAFE): While the documentation in references/cli-spawning.md describes the use of codex exec with a {PACKET} placeholder which could be vulnerable to shell injection if poorly implemented in a harness, the skill itself does not contain executable implementation scripts for this operation; it only defines the capability contract. The provided scripts/validate.sh is a benign self-test script.

council