The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection (Category 8) due to the combination of untrusted data ingestion and high-privilege write capabilities.
Ingestion points: Codebase files accessed via /scout and external search results generated by the researcher subagent.
Boundary markers: None. The skill lacks delimiters or instructions to ignore embedded commands within the files it analyzes.
Capability inventory: Extensive write/execute permissions, including creating files (plan.md, phase-XX.md), performing git commits/pushes (git-manager), and running image processing tools (ImageMagick).
Sanitization: No evidence of sanitization or validation of the data pulled from the codebase or external sources before it is used to influence the agent's planning or tool execution.
[DATA_EXFILTRATION] (MEDIUM): Risk of codebase exposure (Category 2). The researcher subagent is tasked with validating ideas and finding solutions based on the codebase. This workflow encourages the agent to potentially send proprietary code snippets or architectural details to external search engines or LLM providers in its search queries.
[COMMAND_EXECUTION] (MEDIUM): Dynamic execution risk (Category 10). The skill explicitly directs the agent to use ImageMagick for image editing. If filenames or parameters are derived from untrusted codebase content without proper escaping, this could lead to command injection within the local environment.

review-codebase