The Agent Skills Directory

[DATA_EXFILTRATION]: The skill is designed to identify and read file paths provided in the user's request (Criteria) and pass their contents to the codex-exec tool for review. This mechanism can be exploited to access and expose sensitive local files (such as .env, .ssh/config, or cloud credentials) if an attacker provides those paths.
[PROMPT_INJECTION]: The skill ingests untrusted 'Material' (code, text, or artifacts) and interpolates it directly into a structured prompt for the codex model. This establishes an Indirect Prompt Injection surface where instructions embedded within the reviewed material could influence the behavior of the agent or the sub-agents it spawns.
Ingestion points: User-supplied material, criteria, and dimensions are identified and processed in SKILL.md (Step 1 and Step 2).
Boundary markers: The skill uses XML tags (e.g., <task>, <dig_deeper_nudge>) to delimit sections within the generated prompt, which serves as a basic boundary but does not fully prevent instruction override.
Capability inventory: The skill has the capability to read local files and invoke external tools/skills like /codex-exec and spawn_agent (Step 3).
Sanitization: No explicit sanitization, validation, or escaping of the untrusted material is mentioned before it is included in the prompt construction.
[COMMAND_EXECUTION]: The instructions direct the agent to invoke the /codex-exec skill and potentially utilize spawn_agent for parallel execution. Dynamic tool invocation and agent delegation based on user-controlled 'dimensions' and 'material' increase the risk profile if the inputs are not strictly validated.

peer-review