The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted external data—such as code diffs, implementation descriptions, and plan requirements—by interpolating them directly into the agent's prompt without delimiters or instructions to ignore embedded commands. This could allow a malicious actor to influence the reviewer's assessment via comments or commit messages.
Ingestion points: The template in code-reviewer.md ingests data through placeholders {WHAT_WAS_IMPLEMENTED}, {PLAN_OR_REQUIREMENTS}, and {DESCRIPTION}, as well as the output of the git diff command.
Boundary markers: Absent. There are no delimiters or specific instructions to the agent to treat the interpolated content as untrusted data.
Capability inventory: The agent executes shell commands (git) and provides assessments that drive the development workflow.
Sanitization: No sanitization or filtering is applied to the input placeholders before they are rendered into the final prompt.
[COMMAND_EXECUTION]: The code-reviewer.md file defines shell commands (git diff --stat {BASE_SHA}..{HEAD_SHA}) that are constructed using direct string interpolation. If the {BASE_SHA} or {HEAD_SHA} variables are populated with input containing shell metacharacters (e.g., ;, &&, or |), it could lead to arbitrary command execution within the agent's environment.

requesting-code-review