The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The review-package-analyzer subagent (agents/analyzer.md) reads and parses files from the project codebase (CWD) to identify 'Core' and 'Related' files. This is an unvalidated ingestion of untrusted data. An attacker can place instructions in a source file (e.g., inside a comment or a README) that command the analyzer to include sensitive files like ~/.ssh/id_rsa or .env in the final package.
Ingestion points: agents/analyzer.md uses git diff, grep, and direct file reads to perform reconnaissance and dependency mapping.
Boundary markers: Absent. The agent processes codebase content without delimiters or instructions to ignore embedded commands.
Capability inventory: The skill possesses the capability to read any file accessible to the user, copy it, and package it into a compressed archive (scripts/create-review-zip.sh).
Sanitization: Absent. There is no whitelist or blacklist validation in the shell script to prevent the inclusion of sensitive system paths or configuration files.
[Data Exfiltration] (HIGH): While the skill does not automatically transmit data over the network, its core purpose is to facilitate the transfer of project data to an 'external AI model' or 'human reviewer.' By tricking the agent into including sensitive files in the bundle, an attacker achieves 'user-assisted exfiltration' when the user follows the skill's instructions to upload the resulting package.
[Command Execution] (MEDIUM): The skill dynamically locates and executes a shell script (scripts/create-review-zip.sh) using the find command in Phase 5. It also uses osascript to manipulate the system clipboard on macOS. While these are used for the skill's intended functionality, the reliance on shell execution for file bundling provides a vector for broader system access if the analyzer is compromised.

review-package