The Agent Skills Directory

Dynamic Execution (MEDIUM): The file flowctl-reference.md uses eval to execute the output of the flowctl rp setup-review command. This pattern of executing dynamically generated shell code is risky, as the output of flowctl may be influenced by local configuration files (like .flow/config.json) or repository metadata which could be manipulated by an attacker to achieve arbitrary code execution.- Indirect Prompt Injection (LOW): The skill is highly vulnerable to indirect prompt injection because it ingests untrusted data (git diffs and implementation changes) and passes them to an LLM. The automated 'Fix Loop' in SKILL.md is designed to 'Automatically fix ALL valid issues' and 'Never use AskUserQuestion', meaning it applies and commits LLM-suggested code changes to the repository without human review. An attacker could craft code that, when reviewed, tricks the LLM into suggesting a 'fix' containing a backdoor, which this skill would then automatically commit.- Command Execution (MEDIUM): The skill makes extensive use of a bundled binary flowctl to interact with the system and git repository. While the binary is local to the plugin, the skill's reliance on shell execution for critical logic and its automated write-back capabilities increase the overall risk profile.

flow-next-impl-review