The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface through the ingestion of code diffs.
Ingestion points: Change diffs gathered via git diff are interpolated into sub-agent prompts (Security, Quality, and Test reviewers) using the {list} and {changed files list} placeholders in SKILL.md.
Boundary markers: The skill does not provide boundary markers or explicit instructions to the sub-agents to ignore instructions that may be embedded within the code being reviewed.
Capability inventory: The reviewer agents have the ability to read and write files within the project's .claude/ directory and execute shell commands via the parent agent.
Sanitization: No sanitization or escaping of the diff content is performed before it is presented to the LLM.
[COMMAND_EXECUTION]: The skill invokes several command-line tools.
It uses git to retrieve repository logs and diffs.
The Test Reviewer executes uv run pytest --cov=src, which runs the local test suite. This is a standard developer action but involves executing code contained within the project.
The Quality Reviewer invokes an unverified third-party CLI tool: codex exec --model gpt-5.3-codex --sandbox read-only --full-auto "{question}". While it uses a read-only sandbox, this introduces a dependency on a tool not associated with a known trusted vendor.

team-review