The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) by ingesting untrusted data from the repository being audited. 1. Ingestion points: Reads arbitrary files and code from the target repository using Read, Grep, and Glob tools. 2. Boundary markers: No boundary markers or 'ignore instructions' delimiters are specified for the audited data. 3. Capability inventory: Uses the Bash tool to execute repository measurements and generate 'bd' task commands. 4. Sanitization: No sanitization or escaping of extracted content is performed before interpolation into shell commands. \n- [COMMAND_EXECUTION]: The skill constructs shell commands, specifically for the 'bd' tool and repository measurements, using data derived from the audited files. This presents a command injection risk if the input data (such as titles or descriptions extracted from the code) contains shell metacharacters that are not properly sanitized before being passed to the Bash tool. \n- [PROMPT_INJECTION]: The inclusion of an 'eval/' directory containing a 'GRADER.md' and 'RUBRIC.md' represents a self-referential attempt to influence the evaluation of the skill's own performance and safety, which is a form of indirect prompt injection and metadata poisoning.

code-overhaul-review