The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill is designed to ingest and process untrusted data from external sources, which could contain instructions intended to manipulate the agent's behavior.
Ingestion points: External web pages accessed via mcp__playwright__browser_navigate or WebFetch (references/page-review.md) and local source files accessed via the Read tool (references/code-review.md).
Boundary markers: Absent; the guides do not explicitly define delimiters for untrusted content or include specific warnings to the sub-agents to ignore embedded natural language instructions within the data.
Capability inventory: The specialist agents have access to a variety of tools, including Read, Grep, Glob, WebFetch, Task, and Playwright browser interactions (click, navigate).
Sanitization: Absent; content fetched from URLs or read from files is passed directly into the context of the sub-agent for analysis without filtering.
Data Exposure (SAFE): Although the skill utilizes the Read tool to access the local file system, its use is restricted by context to source code review. There are no hardcoded sensitive file paths (e.g., SSH keys, credentials) or unauthorized network exfiltration patterns identified.
Dynamic Execution (SAFE): The orchestrator uses the Task tool to dynamically generate sub-agent instructions by reading local reference guides. This is a standard architectural pattern for multi-agent systems and does not involve executing untrusted remote code.

reviewing-a11y