The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's execution logic, specifically in path resolution and automated commit phases, interpolates user-provided arguments and finding metadata directly into shell commands such as find, git checkout, and git commit. For instance, the review-fix.md logic uses ${finding.file} and ${finding.title} inside shell strings. This pattern is vulnerable to arbitrary command execution if the input contains shell metacharacters like semicolons or pipes.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core function of reading and acting upon external project data and JSON-formatted findings.
Ingestion points: The skill reads source code files during the review phases (review-module.md, review-session.md) and processes JSON findings from a file path provided in arguments during the fix phase (review-fix.md).
Boundary markers: Analysis of the sub-agent prompts (e.g., for cli-explore-agent and cli-execute-agent) reveals a lack of explicit boundary markers or instructions to treat ingested code and finding content purely as data rather than instructions.
Capability inventory: The skill has access to high-impact tools including Bash for shell execution, Edit and Write for file system modification, and the Agent tool for launching sub-tasks.
Sanitization: The skill does not perform sanitization, escaping, or validation on the content extracted from the codebase or the exported findings files before using that content to influence agent planning and execution logic.

review-cycle