The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill implements an autonomous loop that fetches "Action items" and "Minimum fixes" from a remote model (Codex MCP) and applies them as code modifications. By default, HUMAN_CHECKPOINT is set to false, allowing the agent to implement and execute code originating from an external source without human oversight.
[COMMAND_EXECUTION]: The skill uses the Bash tool extensively to run experiments and manage project files. In "Nightmare" mode, it invokes codex exec, which provides the external model with autonomous read access to the repository to verify claims, increasing the attack surface.
[DATA_EXFILTRATION]: The skill attempts to read the configuration file ~/.claude/feishu.json to send notifications. Accessing files in the user's home directory that typically store API keys or webhooks presents a risk of sensitive data exposure.
[PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection via the reviewer's output.
Ingestion points: The agent parses the raw text response from the Codex MCP model in Phase B.
Boundary markers: No delimiters or instructions are used to separate the external feedback from the agent's internal logic.
Capability inventory: The agent has access to Bash(*), Write, Edit, and Agent tools, enabling arbitrary file modification and execution.
Sanitization: None. The agent directly translates model-suggested "fixes" into file edits and shell commands.
[EXTERNAL_DOWNLOADS]: The skill uses curl to fetch bibliographic information from dblp.org and doi.org. While these are established services for research data, the skill programmatically incorporates this external content into the project documentation.
[CREDENTIALS_UNSAFE]: The skill accesses the ~/.claude/feishu.json file, which is a common pattern for storing and using sensitive service credentials for the Feishu notification platform.

auto-review-loop