The Agent Skills Directory

[PROMPT_INJECTION]: Indirect prompt injection vulnerability. The skill ingests untrusted data from git diff (via scripts/diff-scan.sh) and interpolates it directly into the prompt for a sub-agent as defined in references/test-plan.md. Malicious instructions embedded in code comments or strings within a diff could potentially influence the sub-agent's behavior.
Ingestion points: Git diff output processed by scripts/diff-scan.sh and passed to the agent prompt in references/test-plan.md.
Boundary markers: Absent. The prompt uses section headers but lacks explicit instructions for the agent to ignore instructions embedded within the diff data.
Capability inventory: The sub-agent has access to Bash and the agent-browser toolset (including click, fill, and eval capabilities).
Sanitization: No sanitization or filtering of the diff content is performed before interpolation.
[COMMAND_EXECUTION]: The skill makes extensive use of the Bash tool to perform git operations (git diff, git log, git rev-parse) and to execute internal helper scripts (scripts/diff-scan.sh, scripts/fingerprint.sh, scripts/route-map.sh) which use Python for data processing. This is fundamental to the skill's logic for identifying changed code and mapping it to testable routes.
[EXTERNAL_DOWNLOADS]: For session recording functionality, the skill is configured to fetch the rrweb library from the JSDelivr CDN (https://cdn.jsdelivr.net/npm/rrweb@2.0.0-alpha.4/dist/rrweb-all.min.js) and inject it into the browser context using an eval command, as documented in references/rrweb-recording.md.

expect