The Agent Skills Directory

[PROMPT_INJECTION]: The skill analyzes untrusted third-party code, which presents a surface for indirect prompt injection. An attacker could embed malicious instructions within code comments or string literals that the agent might inadvertently follow during its analysis phase.
Ingestion points: The skill uses tools like Read, Glob, and Grep, along with Bash (to run git diff and find), to ingest content from the target repository into the agent's context.
Boundary markers: The instructions do not specify the use of clear delimiters or explicit system instructions to treat the ingested code as data only and to ignore any embedded natural language commands.
Capability inventory: The skill is granted access to the Bash tool, which allows for significant interaction with the local file system and potentially the network, increasing the risk if an injection occurs.
Sanitization: No sanitization or filtering of the ingested source code is performed prior to the AI processing the content.

security-review