The Agent Skills Directory

[COMMAND_EXECUTION]: In code-reviewer.md, the skill executes shell commands git diff --stat {BASE_SHA}..{HEAD_SHA} and git diff {BASE_SHA}..{HEAD_SHA} using direct string interpolation. If the {BASE_SHA} or {HEAD_SHA} variables contain shell metacharacters (e.g., ;, &, |), it could lead to arbitrary command execution within the agent's environment.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection in code-reviewer.md.
Ingestion points: Untrusted data enters the subagent context via the {WHAT_WAS_IMPLEMENTED}, {PLAN_OR_REQUIREMENTS}, and {DESCRIPTION} variables in code-reviewer.md.
Boundary markers: There are no delimiters (e.g., XML tags, triple backticks) or specific instructions to the subagent to ignore embedded commands within these variables.
Capability inventory: The agent has the capability to execute shell commands (git diff) and output technical assessments.
Sanitization: There is no evidence of input validation or sanitization for the provided requirements or descriptions. An attacker could embed instructions in the requirement text to force the reviewer to always return a 'Ready to merge' verdict.
[DATA_EXPOSURE]: The skill's primary function involves reading and displaying source code diffs. While intended, this capability can be leveraged by an injected prompt to exfiltrate sensitive code or configuration files through the agent's output channels.

requesting-review