The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from git diffs and repository documentation, which could contain malicious instructions designed to manipulate the review outcome.
Ingestion points: The agent reads git diff output (git diff origin/<base>), files in the .planning/ directory, and various configuration files (e.g., package.json, .eslintrc).
Boundary markers: No explicit boundary markers or 'ignore embedded instructions' warnings are present to isolate the untrusted data from the agent's system prompt.
Capability inventory: The skill executes shell commands (ls, find, cat, git) via the main agent. While SKILL.md claims agents report findings only, checklist.md suggests an 'AUTO-FIX' capability for mechanical issues, implying potential file-write access.
Sanitization: There is no evidence of sanitization, escaping, or validation of the external content before it is processed by the LLM sub-agents.
[COMMAND_EXECUTION]: The orchestrator uses shell commands to map the codebase and extract configuration. There is a risk of command injection if the <base> branch variable is sourced from an untrusted user input without proper sanitization (e.g., git fetch origin <base>).
[SAFE]: The skill relies on standard system utilities and does not download or execute code from external remote sources. All referenced sub-skills are expected to be located within the local skill directory structure.

code-review-frontend