The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by interpolating user-provided content (code files, descriptions, and specific concerns) directly into the prompt templates for sub-agents (data-reviewer and chart-reviewer).
Ingestion points: Untrusted data enters the agent context through the file paths to be reviewed, the user's description of their work, and their specific concerns mentioned in the interaction, as seen in the prompt templates in SKILL.md.
Boundary markers: The prompt templates lack explicit delimiters (such as XML tags or unique markers) or specific instructions to the sub-agents to ignore instructions embedded within the user data.
Capability inventory: The agent possesses Read, Write, Bash, and Agent capabilities. A successful injection could potentially lead to unauthorized file reads, writes, or execution of shell commands via the Bash tool if the sub-agent is compromised.
Sanitization: There is no evidence of sanitization, escaping, or validation of the user-provided content before it is interpolated into the prompts for the reviewer agents.

nutmeg-review