The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill automatically filters, reconciles, and justifies code review findings by reading content from potentially untrusted project files. An attacker with write access to the repository or shared system paths could use these files to trick the agent into ignoring legitimate issues or executing malicious plans.\n
Ingestion points: Processes $review output and reads local files including AGENTS.md, plan-*.md, PLAN.md, spec-*.md, SPEC.md, and requirements*.md.\n
Boundary markers: Lacks explicit instructions or delimiters to isolate ingested data from the core system prompt.\n
Capability inventory: Orchestrates code modifications via the $plan and $implement tools, providing a path for the injected instructions to influence the codebase.\n
Sanitization: No validation or content sanitization is performed on the ingested files.\n- Command Execution (SAFE): The skill executes ls and find to discover configuration and plan files. These operations use hardcoded patterns and are restricted to read-only discovery tasks within the local filesystem and /tmp/ directory.

fix-review-issues