The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill processes untrusted code (the target of refactoring) and has permissions to write files and execute shell commands (test runners). This combination allows for indirect prompt injection where malicious instructions hidden in code comments or test files could be executed by the agent. * Ingestion points: Code blocks and files provided by the user via triggers like 'Refactor this'. * Boundary markers: Absent; the skill does not use delimiters to isolate untrusted code. * Capability inventory: file:write and bash:npm, pytest, jest defined in SKILL.md. * Sanitization: Absent; there is no logic to filter or ignore instructions embedded in the provided code.- [Command Execution] (MEDIUM): The skill uses tools like npm, pytest, and jest which execute code. If the environment contains malicious configuration files (e.g., a package.json with a malicious test script) or if the user includes malicious tests in the refactor, the agent will execute them during the verification phase.

safe-refactor