The Agent Skills Directory

[Indirect Prompt Injection] (LOW): The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from git repositories and external requirement documents.
Ingestion points: The code-reviewer.md template interpolates content from {WHAT_WAS_IMPLEMENTED}, {PLAN_OR_REQUIREMENTS}, and the output of git diff directly into the agent's context.
Boundary markers: Absent. The instructions do not use specific delimiters (like XML tags or triple backticks with 'ignore' warnings) to separate the reviewer's instructions from the potentially adversarial content in the code diffs.
Capability inventory: The skill utilizes bash to execute git commands. While limited, an attacker-controlled diff could attempt to influence the agent's logic during the review phase.
Sanitization: No sanitization or validation of the input strings is performed before they are presented to the subagent for review.
[Command Execution] (SAFE): The skill executes local bash commands including git rev-parse, git log, and git diff. These operations are standard for the skill's intended purpose of code review and do not involve unauthorized file access, privilege escalation, or network activity.

requesting-code-review