The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill's primary function is to ingest and analyze external, untrusted source code. This creates a significant attack surface where malicious instructions embedded in code comments or metadata could hijack the agent's logic.
Ingestion points: semantic_search, read_file, and ast_graph_* tools in references/tools.md read external repository content.
Boundary markers: No boundary markers or 'ignore' instructions are provided to the agent for separating data from instructions.
Capability inventory: The skill possesses the capability to read arbitrary files (read_file) and the instructions in references/constraints.md (Rule 3) explicitly reference 'making changes' and 'modifying files', implying a write/execute capability exists in the environment.
Sanitization: No sanitization or validation of the ingested content is mentioned.
Data Exposure / Arbitrary File Read (HIGH): Every tool in the skill, including read_file and list_files, requires an explicit path parameter. The documentation and constraints (Rule 1) do not restrict these paths to a safe workspace or sandbox. An attacker could use prompt injection to trick the agent into reading sensitive system files (e.g., /etc/shadow, ~/.ssh/id_rsa) by providing absolute paths to these tools.
Command Execution (MEDIUM): The SKILL.md file encourages the execution of the git-ai CLI tool. This introduces a dependency on external software that executes shell commands (git-ai ai index), which may have its own security vulnerabilities or be used to execute arbitrary commands if input is not properly handled by the underlying CLI.
Denial of Service (LOW): The search_symbols tool supports a regex mode. Without proper constraints, the agent could be manipulated into executing complex, malicious regular expressions against large codebases, leading to Regular Expression Denial of Service (ReDoS).

git-ai-code-search