The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses eval to execute the output of the flowctl tool during the setup phase. This pattern allows the tool to dynamically inject shell environment variables or commands that are immediately executed by the agent, posing a security risk if the tool's output is manipulated.
[PROMPT_INJECTION]: Instructions explicitly mandate that the agent bypass standard safety protocols and user oversight during code repairs. Directives such as 'Do NOT ask user for confirmation' and 'Never use AskUserQuestion in this loop' override the human-in-the-loop verification typically required for autonomous file system modifications.
[DATA_EXFILTRATION]: To perform its primary function, the skill collects source code, commit logs, and diffs from the user's repository and transmits them to external analysis services (RepoPrompt and Codex).
[PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection by ingesting and acting upon feedback from external LLM-based code reviewers.
Ingestion points: Feedback text returned from RepoPrompt and output from the Codex CLI.
Boundary markers: The agent is instructed to look for specific <verdict> XML-style tags to parse review outcomes.
Capability inventory: The agent has capabilities to write to the file system (fixing code), perform git commits, and execute shell commands via the flowctl utility.
Sanitization: There is no evidence of sanitization or validation of the external feedback before the agent attempts to interpret and implement it as code changes.
[COMMAND_EXECUTION]: The skill executes a wide range of shell commands, including git operations and a bundled utility (flowctl) located in the plugin's scripts directory.

flow-next-impl-review