The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from the local repository via git diff HEAD and processes it to generate a review report. There are no boundary markers or sanitization steps to prevent malicious code comments from overriding the agent's instructions. Evidence Chain: 1. Ingestion point: git diff HEAD (Phase 0.1). 2. Boundary markers: Absent; the diff is read directly into the context. 3. Capability inventory: The skill uses bash to run git and writes reports to the plans/reports/ directory. 4. Sanitization: Absent; the agent is instructed to read the diff and 'immediately update report'.
COMMAND_EXECUTION (LOW): The skill executes local git and bash commands. While necessary for the stated purpose of reviewing uncommitted changes, this constitutes a local command execution surface.

review-changes