The Agent Skills Directory

[PROMPT_INJECTION]: Indirect Prompt Injection Risk. The skill reads and analyzes untrusted code from a local directory, which serves as a significant attack surface. Ingestion points: Source code is read from a user-specified path during the action-collect-context.md phase. Boundary markers: The orchestrator.md component includes the full state JSON (containing code snippets) in prompts for the sub-agent without using delimiters or instructions to ignore embedded commands. Capability inventory: The skill has access to sensitive tools including Agent, Bash, Read, Write, and Glob. Sanitization: No escaping or validation is performed on the ingested code snippets before they are interpolated into the orchestrator's prompt.
[COMMAND_EXECUTION]: Localized filesystem operations. The skill employs the Bash tool for operational tasks such as creating workspace directories (mkdir -p) and managing temporary state files. These commands are restricted to managing the local scratchpad environment.
[SAFE]: Hardcoded placeholders and examples. Documentation and rule configuration files (such as security-rules.json and templates/issue-template.md) contain placeholder credentials (e.g., 'sk-xxxxxxxxxxxx') and snippets of vulnerable code. These are used strictly as detection patterns or user examples and do not constitute a security risk or credential exposure.

review-code