The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via its autonomous loop mechanism. The orchestrator script extracts 'handoff blocks' from AUDIT_REPORT.md and uses them to construct prompts for subsequent AI worker phases.
Ingestion points: The run_codex_audit_loop.py script reads AUDIT_REPORT.md, which is generated by an AI worker based on untrusted implementation code from the target repository.
Boundary markers: While the worker prompts use markdown headers like ## Context and ## Instructions, the handoff blocks are interpolated directly without specific delimiters or instructions for the model to ignore embedded data.
Capability inventory: The skill possesses significant capabilities via the codex tool and git commands, including the ability to read and write files and execute shell commands within the repository.
Sanitization: No sanitization or escaping is performed on the content extracted from AUDIT_REPORT.md before it is passed as a prompt to the next worker phase.
[COMMAND_EXECUTION]: The scripts/launch_codex_worker.py and scripts/run_codex_audit_loop.py scripts utilize the subprocess module to execute system commands.
Evidence: The scripts call git for repository state management and the codex binary (configured via the --codex-bin argument) to execute AI tasks.
Background Execution: launch_codex_worker.py uses os.fork() and os.setsid() to detach and run these commands in background processes.
[DATA_EXFILTRATION]: To perform its auditing functions, the skill reads the content of implementation files, test files, and project plans. This sensitive repository context is sent to an external AI provider's servers when the codex exec command is called.
[REMOTE_CODE_EXECUTION]: The skill's primary operation involves the execution of AI-generated logic via the codex tool. While this is the intended purpose of the skill, it represents a pattern where instructions generated by a remote model are executed locally on the filesystem.

domain-reviewer