The Agent Skills Directory

[COMMAND_EXECUTION]: The skill accepts user-supplied git references (tags, commits, or branches) via $ARGUMENTS and interpolates them directly into shell commands such as git rev-parse, git log, and git diff. This creates a risk of command injection if the inputs contain shell metacharacters (e.g., ;, &&, |) and are not properly sanitized by the execution environment.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and analyzes data from external, potentially untrusted sources (git commit messages and file diffs). An attacker with the ability to commit to the repository could embed malicious instructions designed to deceive the AI agent or suppress the reporting of specific risks.
Ingestion points: The output of git log and git diff commands (SKILL.md, Step 3).
Boundary markers: Absent. There are no instructions or delimiters defined to help the agent distinguish between the data being analyzed and the system instructions.
Capability inventory: Shell command execution via the git utility.
Sanitization: Absent. The skill processes raw git output without filtering or escaping content that might contain instruction-like patterns.

release-review