The Agent Skills Directory

[COMMAND_EXECUTION]: The runCommand function in scripts/lib/process.mjs executes shell commands with shell: true when running on Windows platforms. This introduces a command injection vulnerability where user-controlled arguments, such as branch names passed to the --base flag in review or adversarial-review commands, are passed directly to subprocesses like git (e.g., git merge-base HEAD <ref>) without sanitization.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted repository data, including uncommitted changes and branch diffs, and interpolates this content into reasoning prompts. Evidence chain:
Ingestion points: scripts/lib/git.mjs collects working tree state and branch diffs.
Boundary markers: The prompts/adversarial-review.md template uses <repository_context> XML-like tags to delimit the ingested data.
Capability inventory: The skill has significant capabilities, including file modification via task --write, and arbitrary shell execution through git and node subprocesses.
Sanitization: No explicit sanitization or escaping of the repository content is performed before interpolation into the prompt.
[DATA_EXFILTRATION]: The skill collects the entire context of the repository (diffs, staged changes, and untracked files) and transmits it to the OpenAI Codex service for analysis. While this is the intended primary purpose of the skill, it involves reading and sending potentially sensitive source code externally.
[EXTERNAL_DOWNLOADS]: The skill requires and encourages the installation of the @openai/codex package from the official NPM registry. This is a well-known tool, and the installation finding is noted neutrally as it targets a well-known service.

codex-companion