The Agent Skills Directory

[PROMPT_INJECTION]: The skill ingests and processes external source code files during the scan phase to generate refactoring plans. These files act as untrusted data inputs. The instructions lack explicit prompt boundary markers or sanitization rules for the ingested content, creating an attack surface for indirect prompt injection where malicious instructions hidden in code could influence the agent's subsequent design or application steps.
[DATA_EXFILTRATION]: In reference/methods.md, method M-L1-04 (Characterization Test) suggests that the agent sample inputs from production logs to create tests. Accessing production logs poses a significant data exposure risk, as these files often contain PII, credentials, or session tokens. If the agent processes this data, it may inadvertently include sensitive information in its markdown reports or execution notes.
[COMMAND_EXECUTION]: The skill instructs the agent to run various shell commands, including grep, test runners (e.g., npm test), and linters (ESLint/Prettier). While these are standard development tasks, the commands operate on files and paths provided by the user and potentially influenced by indirect injection, representing a risk if not strictly scoped.

cs-refactor