The Agent Skills Directory

[PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill is designed to ingest and analyze potentially untrusted project source code, creating an entry point for indirect prompt injection.
Ingestion points: Target source files, environment configurations, and dependency manifests are read into the agent's context using the Read, Glob, and Grep tools as instructed in SKILL.md.
Boundary markers: The instructions do not define clear delimiters or "ignore embedded instructions" warnings to separate user-provided code from the agent's system instructions.
Capability inventory: The skill utilizes the Bash, Write, and Edit tools, which provide the agent with broad execution and modification capabilities over the local environment (SKILL.md).
Sanitization: There is no evidence of sanitization or escaping mechanisms applied to the file content before it is processed by the AI.
[COMMAND_EXECUTION]: Intentional vulnerability examples. The file assets/example_code_vulnerable.py contains the command_injection_example function, which uses subprocess.run(shell=True) with unsanitized user input. This is explicitly provided as a negative pattern for the code review tool to identify.
[REMOTE_CODE_EXECUTION]: Intentional insecure deserialization. The asset file assets/example_code_vulnerable.py demonstrates remote code execution using pickle.loads(). It includes a MaliciousClass designed to execute rm -rf / upon deserialization, serving as a test case for auditing capabilities.

performing-security-code-review