The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes local shell commands including git log, git diff, and npm view to gather project information. It specifically runs node -p to read the project's package.json file, which can result in arbitrary code execution if the file contains malicious JavaScript logic triggered during the require call.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it retrieves untrusted data from the repository's commit history, diffs, and source code and incorporates it directly into the prompts for 16 different AI agents.
Ingestion points: Git commit messages, file diffs, and full source code contents are read and passed to agents.
Boundary markers: The skill uses XML-style tags (e.g., <diff>, <commits>) to wrap the ingested data, providing a layer of structural separation that may not stop sophisticated injection attempts.
Capability inventory: The skill has the ability to execute shell commands and orchestrate multiple sub-agents in the background.
Sanitization: There is no evidence of content sanitization or filtering to remove malicious instructions from the ingested repository data before it is processed by the agents.

pre-publish-review