The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from the local environment and interpolates it into prompts for multiple AI agents (Ultrabrain and Oracle).
Ingestion points: The skill reads output from git log (commit messages), git diff (code changes), and the full text of modified files (SKILL.md).
Boundary markers: While the prompts use XML-style tags like <diff> and <file_contents>, they lack explicit instructions to the agents to disregard or ignore any natural language instructions found within that data.
Capability inventory: The skill itself performs context gathering and logic orchestration. While it does not have direct file-write capabilities, it acts as a gatekeeper for the 'publish' verdict, which could be manipulated by an attacker who controls commit messages or source code.
Sanitization: No sanitization, escaping, or instruction-filtering is performed on the git data or file contents before being sent to the LLM agents.
[COMMAND_EXECUTION]: The skill executes several local shell commands to gather context for the review process.
Evidence: Commands include npm view to fetch version info, node -p to parse the local package.json, and git log/git diff to extract change history.
Context: These are standard development tools used for their intended purpose of project introspection, but they represent a surface for command execution within the skill's workflow.

pre-publish-review