The Agent Skills Directory

[COMMAND_EXECUTION]: The skill automatically identifies and executes shell commands defined in project configuration files during the verification step.
Evidence: Step 8 (Verify) searches for and runs lint and test commands from package.json (scripts.lint/test), pyproject.toml, Makefile, and Justfile.
Risk: A malicious repository could define these standard configuration keys to execute unauthorized code on the host system when the agent attempts to verify fixes.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection where malicious instructions from analysis tool outputs are passed to subagents.
Ingestion points: Step 4 parses fix_instructions from the stdout and stderr of tool execution.
Boundary markers: Absent. Tool output is captured and parsed without sanitization or delimiters before being sent to subagents.
Capability inventory: Subagents dispatched in Step 7 have the capability to modify the codebase.
Sanitization: Absent. Extracted fix instructions are interpolated directly into the subagent prompt.
[COMMAND_EXECUTION]: User-provided arguments are used to construct shell commands without sufficient sanitization.
Evidence: Step 1 and Step 3 use $ARGUMENTS directly as the command to be executed in the shell.
Evidence: Step 2 extracts the first word of the command and interpolates it into a bash command: command -v .
Risk: If the input contains shell metacharacters (e.g., semicolons or pipes), it could lead to arbitrary command execution.

review-fix-loop