The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes standard Git commands (git fetch, git log, git rev-list) to retrieve commit history and track changes in the repository. These operations are restricted to the repository's origin/main branch and are essential for the skill's auditing functionality.
[INDIRECT_PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection as it processes untrusted data from commit messages and source code to generate patches for other skills. This risk is inherent to the skill's purpose and is mitigated by the workflow's multi-phase triage process and the recommendation for manual review or CI-based PR gates.
Ingestion points: Commit history (git log) and repository source code files accessed during Phase 1 and Phase 3.
Boundary markers: The skill does not implement explicit delimiters (e.g., XML tags) around untrusted data, though it instructs the agent to treat commit messages as an index rather than a source of truth.
Capability inventory: The skill has the ability to execute shell commands (git), read local files, and write/edit files within the .agents/skills/ directory.
Sanitization: No automated sanitization of commit messages or code comments is specified before they are interpolated into the patch generation logic.
[DATA_EXPOSURE]: The skill reads source code and skill files but does not access sensitive user credentials (e.g., .env, .ssh) or exfiltrate data to external domains. All operations are confined to the local repository and the defined target skills.

phoenix-skills-audit