The Agent Skills Directory

[COMMAND_EXECUTION]: In Phase 5, the skill executes a bash command that uses the source builtin on a local .env file. This is a high-severity security risk because it causes the shell to execute any code contained within the file. If a user runs this skill in a repository containing a malicious .env file, it can lead to immediate arbitrary code execution on the user's machine.\n- [COMMAND_EXECUTION]: The shell command in Phase 5 incorporates a 'slug' derived from the plan file path. While the skill checks for directory traversal (..), it does not explicitly sanitize the slug for shell metacharacters such as backticks, semicolons, or dollar signs. This oversight could allow command injection if an attacker-controlled plan filename is processed.\n- [CREDENTIALS_UNSAFE]: The skill's mechanism for loading API keys involves sourcing several environment files, including ~/.env and .env. This practice increases the risk of sensitive credential exposure and allows for potential environment hijacking by malicious local files.\n- [PROMPT_INJECTION]: The skill ingests untrusted plan content for processing by LLMs. Although it uses boundary markers () and instructions to the model to ignore directives within that block, it remains a vulnerability surface for indirect prompt injection. This is particularly concerning given the skill's capabilities to execute shell commands and access network resources.\n
Ingestion points: Implementation plans read from the project directory in Phase 1 and Phase 4.\n
Boundary markers: Uses <plan-content> tags to delimit untrusted data in the review prompt (Phase 4).\n
Capability inventory: Executes bash commands (Phase 5), writes to the local filesystem (Phase 2, Phase 5), and performs network operations via MCP tools and the counselors CLI.\n
Sanitization: There is no evidence of content sanitization or filtering of the plan data before its interpolation into the model prompt.

critic-review