The Agent Skills Directory

[COMMAND_EXECUTION]: The skill directs the agent to construct shell commands (codex exec and claude -p) using a prompt that includes untrusted content from the repository (code or diffs). This implementation is highly vulnerable to command injection if the content contains shell metacharacters like backticks, semicolons, or unescaped quotes.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by processing untrusted repository data and including it in prompts sent to external models.
Ingestion points: Code diffs and repository files are read and included in the reviewer prompts in SKILL.md (Step 3).
Boundary markers: The prompt template does not use robust delimiters or instructions to ignore potential commands embedded within the code blocks being reviewed.
Capability inventory: The skill utilizes shell command execution and file system access to process and store results.
Sanitization: There is no evidence of sanitization or escaping of the repository content before it is interpolated into the shell command prompt.
[REMOTE_CODE_EXECUTION]: The skill allows for the execution of repository tests via the --profile edit flag in the codex exec command. This represents a remote code execution vector if the repository contains malicious test scripts designed to execute when the reviewer runs tests.

adversarial-review