The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill creates an attack surface where untrusted data from the repository can influence agent behavior.
Ingestion points: Untrusted content enters the context via git diff commands in SKILL.md (Steps 1.1 and 2.1).
Boundary markers: Absent. The agent receives raw diff data without explicit delimiters or instructions to ignore embedded natural language commands within the code.
Capability inventory: The skill authorizes the agent to 'Fix each issue directly' (Step 1.3), granting it file-write and modification privileges based on its interpretation of the (potentially malicious) input.
Sanitization: Absent. There is no mechanism to filter or sanitize instructions embedded in code comments or strings before the agent processes them.
Command Execution (LOW): The skill executes local shell commands to interact with the version control system.
Evidence: Usage of git diff --stat, git diff, and git add -p in SKILL.md. While these are standard tools, they are the mechanism through which untrusted data is pulled into the agent's reasoning loop.

review-post-task