The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits a high surface area for indirect prompt injection because it is designed to ingest and process the entire contents of a user's codebase.
Ingestion points: The code-scanner-agent and refactoring-agent read source code directly from the filesystem to identify and apply changes.
Boundary markers: Absent. There are no instructions to the agents to treat code comments or string literals as data rather than instructions, which could allow an attacker to embed 'jailbreak' or override commands in the files being cleaned.
Capability inventory: The system possesses high-impact capabilities including file deletion (safe-removal-agent), file modification (refactoring-agent), and shell command execution (validation-agent).
Sanitization: Absent. No filtering or escaping is performed on the code content before it is presented to the agents' context.
[COMMAND_EXECUTION]: The validation-agent.md instructs the agent to execute arbitrary shell commands discovered in the project environment.
Evidence: The agent is directed to run commands such as bun test, npm test, pytest, and npm run build. While these are legitimate for validation, they execute logic defined within the potentially untrusted project being audited.

code-cleanup