The Agent Skills Directory

[PROMPT_INJECTION]: The skill instructions in SKILL.md direct the agent to use dangerously_trust_all_tools: true to bypass tool approval prompts during parallel execution. This is a direct attempt to override safety protocols and eliminate user oversight of tool execution.- [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection. Ingestion points: Candidate repository contents including README.md, source code, and configuration files. Boundary markers: Absent; no specific delimiters or ignore instructions are provided to separate untrusted content. Capability inventory: Access to shell commands (git log, git branch) and broad file read operations. Sanitization: Absent; the agent is instructed to explore and analyze the codebase without validation filters.- [COMMAND_EXECUTION]: The skill performs shell operations such as git log and git branch on untrusted directories. It also includes a setup script (setup_candidates.sh) that executes git clone on arbitrary external URLs provided by the user.- [DATA_EXFILTRATION]: The agent is instructed to access and read sensitive local files, including .env, application.yml, and application.properties files. While intended for auditing purposes, this level of access combined with the requested bypass of tool confirmations increases the risk of data exposure if the agent is compromised by malicious repository content.

webflux-test-reviewer