The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to ingest and process external, untrusted content (Ruby source code). It possesses significant capabilities, including file modification through autocorrect and execution of subprocesses, which creates a high-risk surface for indirect prompt injection.
Ingestion points: Ruby source files across the project directory (e.g., app/, lib/, spec/).
Boundary markers: Absent; there are no specified delimiters or instructions to ignore embedded prompts in the analyzed code.
Capability inventory: Shell command execution (rubocop), file system modification (rubocop -a/-A), and git interaction.
Sanitization: Absent; the skill does not specify any sanitization or validation of the code content before analysis or autocorrection.
Command Execution (MEDIUM): The skill frequently uses shell commands to invoke RuboCop. Complex shell patterns like git diff ... | xargs rubocop are recommended, which could be exploited for command injection if file names are maliciously crafted in the project environment.
Dynamic Execution (MEDIUM): As documented in custom_cops_guide.md, RuboCop can dynamically load and execute Ruby code via the require directive in .rubocop.yml. If an attacker can modify the project's configuration, they can achieve arbitrary code execution in the agent's environment.
External Downloads (LOW): The extensions_guide.md recommends installing external gems via gem install or Gemfile. While these are trusted sources (RubyGems), runtime installation of dependencies is a risk factor that should be managed via strict environment controls.

rubocop