The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted source code, configuration files, and metadata from external projects. Malicious instructions could be embedded in the analyzed code to override the auditor's logic or influence the fixer's modifications.
Ingestion points: agents/project-explorer.md scans all files in the project directory, including source files (.swift, .m, .h), Info.plist, and entitlements.
Boundary markers: Absent. The subagents are not instructed to treat project content as untrusted data or use specific delimiters to isolate it from system instructions.
Capability inventory: The skill can read project-wide files and perform write operations to source files through the agents/fixer.md component.
Sanitization: No sanitization or filtering of instructions within the analyzed data is performed.
[COMMAND_EXECUTION]: The agents/fixer.md agent possesses the capability to modify project source code and Info.plist configuration. While this is intended for applying approved fixes, the ability to write arbitrary code to the filesystem is a high-impact capability that could be misused if the agent's instructions are subverted through poisoned project data.
[SAFE]: The skill includes several security best practices, such as requiring explicit user approval before the fixer.md agent applies any changes, and producing intermediate JSON artifacts that allow for human verification of the audit findings.

appstore-review-checker