The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) by ingesting extensive untrusted data from the project being reviewed, including spec.md, plan.md, workflow.md, and the entire codebase. This data is processed without boundary markers or sanitization, and it directly influences the agent's high-privilege actions such as executing shell commands and modifying files.
[COMMAND_EXECUTION]: The skill executes arbitrary shell commands derived from project configuration files. Specifically, it runs integration test commands defined in docs/workflow.md and log-retrieval commands defined in templates/stacks/{stack}.yaml. It also utilizes dynamic context injection (!command syntax) in SKILL.md to execute git branch and git diff commands at load time to provide environment context.
[DATA_EXFILTRATION]: The skill accesses production logs from cloud providers (Vercel, Cloudflare, Fly.io, etc.) and performs scans for hardcoded secrets like sk_live or passwords within the source code. While these are functional requirements for a security audit, they involve the handling and potential exposure of highly sensitive credentials and runtime data.

solo-review