The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is highly vulnerable to shell injection. The user-supplied <commit-hash> parameter is directly interpolated into shell commands (e.g., git rev-parse --verify $COMMIT_HASH) and filename generation without any sanitization. An attacker providing a malicious hash like $(touch pwned) could execute arbitrary code on the host system.
[DATA_EXFILTRATION]: The skill generates report filenames using the unsanitized <commit-hash> variable (e.g., REPORT_FILE="diff-review-$(echo $COMMIT_HASH | cut -c1-7)..."). This allows for path traversal or arbitrary file write vulnerabilities, as a crafted input could potentially overwrite sensitive system files or write data to unintended directories.
[PROMPT_INJECTION]: The skill exhibits a significant indirect prompt injection surface by processing untrusted code diffs and injecting them directly into the prompts of multiple AI reviewers.
Ingestion points: Git diff content obtained in SKILL.md (Step 2) is injected into the {{DIFF_CONTENT}} placeholder in reviewers/claude-role.md, reviewers/codex-role.md, and reviewers/gemini-role.md.
Boundary markers: Absent. The diff content is simply appended to the end of the role instructions under a markdown header without isolation or escaping.
Capability inventory: The skill possesses the ability to execute shell commands (git, gemini, codex), write files to the local disk, and trigger sub-tasks via Claude Code (documented in SKILL.md).
Sanitization: Absent. There is no evidence of validation, escaping, or filtering applied to the code diffs or the user-provided parameters before they are used in prompts or shell commands.

diff-review