The Agent Skills Directory

[COMMAND_EXECUTION]: Potential command injection in SKILL.md hooks. The PreToolUse and PostToolUse hooks for the Edit tool interpolate the $TOOL_INPUT_file_path variable directly into a bash -c command string. If the underlying platform does not sanitize this variable, a malicious file path could be used to execute arbitrary shell commands.
[PROMPT_INJECTION]: High vulnerability surface for indirect prompt injection.
Ingestion points: Untrusted data enters via git diff, file reads, and PR descriptions retrieved via gh pr view (SKILL.md).
Boundary markers: The subagent prompt templates in references/team-templates.md lack explicit delimiters or instructions to ignore embedded commands in the reviewed code.
Capability inventory: The skill possesses powerful capabilities including file editing (auto-fix protocol), shell command execution (hooks), and extensive network access via research tools.
Sanitization: No sanitization or escaping of external content is specified before interpolation into subagent prompts.
[COMMAND_EXECUTION]: Utility scripts such as project-scanner.py and sarif-uploader.py perform various system operations using subprocess.run. While these scripts avoid shell=True and use list-based arguments, they represent a broad surface for system-level interaction that could be exploited if the agent's high-level reasoning is compromised.

honest-review