The Agent Skills Directory

Prompt Injection (HIGH): The skill is highly vulnerable to Indirect Prompt Injection because it is designed to analyze external, untrusted source code while holding powerful execution capabilities.
Ingestion points: External code and configuration files are accessed using the Read, Grep, and Glob tools as defined in SKILL.md.
Boundary markers: Absent. The skill lacks instructions or delimiters to isolate ingested file content from the agent's core instructions.
Capability inventory: The inclusion of the Bash tool provides a direct execution vector for any malicious instructions discovered within ingested files.
Sanitization: Absent. There is no logic provided to validate, filter, or escape the content of files before the agent processes them.
Command Execution (HIGH): The skill explicitly permits the Bash tool in the allowed-tools section of SKILL.md. Although the Tooling Notes suggest using only read-only commands, there are no technical constraints or enforcements to prevent the agent from executing destructive commands, modifying files, or establishing network connections if manipulated.

security-review