The Agent Skills Directory

[COMMAND_EXECUTION]: The shell scripts provided in references/automated-checks.md are vulnerable to command injection. They use unquoted variables such as $PY_FILES and $CHANGED (which contain output from git diff) directly in shell commands like pyright ... $PY_FILES and vulture $PY_FILES. If a repository under review contains files with names crafted to include shell metacharacters (e.g., ; malicious_command ; .py), the agent would execute those commands in its local environment.
[EXTERNAL_DOWNLOADS]: The references/tool-install-guide.md file contains instructions to install several third-party development tools including pyright, vulture, import-linter, deptry, griffe, and mutmut via pip, and semgrep via brew. These are well-known tools hosted on official, trusted package registries.

pre-ship-review