The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill's primary purpose is to read and process external source code (e.g., from pull requests), which is a classic Category 8 attack surface. Malicious instructions could be embedded in code comments or strings to hijack the agent's behavior.
Ingestion points: scripts/utils.py contains logic to find and read local source files.
Boundary markers: No delimiters or explicit instructions are provided to help the AI distinguish between the skill's instructions and the content of the files being reviewed.
Capability inventory: The skill enables the Bash tool, which allows the agent to execute arbitrary system commands if successfully manipulated by an injection.
Sanitization: No sanitization or filtering is performed on the ingested file content.
[Unverifiable Dependencies] (HIGH): The skill documentation and CLAUDE.md reference two primary executable scripts, scripts/analyze.py and scripts/security_scan.py, which are not included in the provided skill files. These scripts are intended to be executed via Python, but their internal logic cannot be audited for safe handling of file paths or command injection vulnerabilities.
[Command Execution] (MEDIUM): The Bash tool is enabled in SKILL.md. While used for legitimate purposes like git diff, it provides a high-privilege execution environment that could be exploited if the agent is tricked via the aforementioned indirect prompt injection surface.

code-review-assistant