The Agent Skills Directory

[COMMAND_EXECUTION]: The execution flow in SKILL.md uses an unquoted HEREDOC (<<EOF) to pass data to the gemini CLI tool. In bash, unquoted HEREDOCs perform variable expansion and command substitution on the content. Since the $CONTEXT variable contains the raw content of project files, any file containing shell execution patterns such as $(...) or backticks will have those commands executed locally when the skill is run.
[EXTERNAL_DOWNLOADS]: The skill references the gemini-cli tool and provides installation instructions pointing to the google-gemini GitHub organization, which is a trusted source for developer tools.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from the local filesystem to build its prompt.
Ingestion points: Full content of project files is gathered in Step 2 of the Execution Flow.
Boundary markers: The skill uses markdown headers (e.g., ## Problem Context) as delimiters, which can be easily bypassed or confused by malicious content within the analyzed files.
Capability inventory: The skill executes shell commands (gemini) and reads local files, providing a high-impact target for successful injection.
Sanitization: There is no evidence of sanitization, escaping, or filtering of the file contents before they are interpolated into the shell command or the LLM prompt.

second-opinion