The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): This skill is primarily designed to ingest and interpret untrusted external data (git diffs), creating a significant attack surface.
Ingestion points: The scripts/extract-diff.sh script retrieves raw git diffs, file lists, and commit logs, which are then passed to the agent's context.
Boundary markers: Absent. The instructions in references/analysis-patterns.md do not define delimiters or structural boundaries to help the agent distinguish between legitimate code changes and adversarial instructions embedded in comments or code.
Capability inventory: While the skill itself is read-only, it is intended to guide the generation of high-trust documents like Architecture Decision Records (ADRs) and Runbooks (SOPs). An injection in a diff could trick the agent into documenting malicious procedures or making unauthorized architectural changes if the agent possesses file-writing capabilities.
Sanitization: Absent. No filtering or escaping is performed on the diff output before it is analyzed by the LLM.
[COMMAND_EXECUTION] (MEDIUM): The scripts/extract-diff.sh script executes several git commands using variables derived from user-controllable arguments.
Evidence: Variables like $REPO_PATH, $TARGET_BRANCH, and $PATH_FILTER are used in subshells and command arguments (e.g., git diff "$RANGE" "${PATH_ARGS[@]}"). While the script uses double-quoting, it relies on the calling agent to ensure these strings do not contain malicious flags or path traversals that could compromise the local environment.

living-docs