The Agent Skills Directory

[SAFE]: The skill enforces a robust read-only constraint on codebase files, explicitly forbidding the use of Write or Edit tools on any file outside the designated .claude_resolve/ workflow directory.
[SAFE]: Usage of the Bash tool is restricted to non-destructive development tasks, such as performing git diff for reviews and running project tests or linters.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and processing untrusted data from tickets and code diffs.
Ingestion points: Untrusted content from ticket.md and project code diffs are read and interpolated into prompts for the coaching loop and the code-reviewer sub-agent.
Boundary markers: Employs XML-style tags (e.g., <ticket>, <diff>) to separate untrusted content from system instructions.
Capability inventory: The agent's capabilities are limited to Read, Glob, Grep, and Bash (read-only); it cannot perform network exfiltration or modify source code.
Sanitization: Relies on structural delimiters and the inherent guardrails of the underlying model rather than programmatic sanitization of the input data.

mentor-workflow