The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): In Step 5, the skill executes a shell command to compare files: diff -u "{lisa-source}" "{project-file}". Because these paths are interpolated directly into the command string from the .lisa-manifest and user-provided directory paths, a maliciously named file or path containing shell metacharacters (e.g., ;, $(), or &&) could lead to arbitrary command execution.
DATA_EXFILTRATION (LOW): The skill reads arbitrary files from a user-specified project path and includes their content in the LLM's context to generate diffs and analysis reports. While intended for code review, this provides a mechanism to expose local file contents to the model.
INDIRECT_PROMPT_INJECTION (LOW): The skill ingests untrusted data from the target project's files during the categorization and analysis phase (Step 6). Malicious instructions embedded in these source files could attempt to influence the agent's judgment or report output. (Evidence: 1. Ingestion points: target project files and manifest; 2. Boundary markers: Absent; 3. Capability inventory: Shell command execution, file reading, and file writing to the source repository; 4. Sanitization: Absent).

lisa-review-project