The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The code-reviewer.md template incorporates placeholders {BASE_SHA} and {HEAD_SHA} directly into shell commands (git diff). A malicious user or a compromised repository could provide inputs containing command separators (e.g., ;, &&) to execute arbitrary commands on the host system.
[PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8). Ingestion point: The agent processes external, untrusted data via {WHAT_WAS_IMPLEMENTED}, {DESCRIPTION}, and the output of git diff. Boundary markers: There are no delimiters or instructions to ignore embedded commands within the diff or description. Capability inventory: The agent can execute shell commands and trigger subagents via the Task tool. Sanitization: No escaping or validation is performed on the code or plan content. This allows malicious code under review to hijack the agent's logic to force a 'SAFE' verdict or exfiltrate data.
[DATA_EXPOSURE] (MEDIUM): The use of git diff without filters automatically brings the entire content of code changes into the LLM context, which may inadvertently expose hardcoded secrets or sensitive configuration files if they are present in the commit range being reviewed.

requesting-code-review