The Agent Skills Directory

[COMMAND_EXECUTION]: The script bin/gitea-review frequently executes system-level commands including docker, git, and curl. These operations are used to manage the lifecycle of the Gitea container, push local repository branches, and interact with the Gitea API.
[EXTERNAL_DOWNLOADS]: The skill downloads and runs the gitea/gitea:latest image from Docker Hub and installs the caddy package from Alpine Linux repositories inside the container during its initialization.
[CREDENTIALS_UNSAFE]: The skill uses hardcoded passwords ('review' and 'agent') for the local Gitea instance. It stores generated API tokens in an ephemeral environment file located in the system's temporary directory (/tmp). While the script attempts to secure this file using umask 077, its presence in a shared directory is a noted security characteristic. Additionally, the Caddy reverse proxy configuration uses the X-WEBAUTH-USER header to grant administrative access to the web UI without a password, allowing any local user who can access the assigned network port (range 3000-3999) to authenticate as the 'review' user.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from external sources.
Ingestion points: The agent reads commit messages via bin/generate-pr-description and PR review comments via bin/format-review-comments (sourced from the Gitea API).
Boundary markers: The scripts do not appear to use specific delimiters or instructions to prevent the agent from obeying commands embedded within the fetched comments or commit logs.
Capability inventory: The agent has the capability to execute shell commands, manage Docker containers, and modify the local filesystem via the provided scripts.
Sanitization: There is no evidence of sanitization or filtering of the natural language content extracted from comments or git logs before it is presented to the agent.

local-code-review