The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and process untrusted data (source code and pull request content) provided by users or external systems.
Ingestion points: Processes code and PR descriptions when triggered by keywords like "review", "PR review", or "blast radius" (SKILL.md).
Boundary markers: None. There are no explicit instructions to the agent to ignore instructions embedded within the code or comments being reviewed.
Capability inventory: Uses several MCP tools for code analysis, including find_references, get_diagnostics, detect_antipatterns, and get_test_coverage_map (SKILL.md).
Sanitization: None. The skill relies on the output of static analysis tools and the LLM's own parsing logic.
[SAFE]: The skill's primary focus is defensive security. It explicitly instructs the agent to check for SQL injection, hardcoded secrets, authentication gaps, and improper error handling in .NET applications.
[SAFE]: The referenced MCP tools (detect_antipatterns, get_project_graph, etc.) are standard static analysis utilities for the .NET ecosystem and are used here for read-only diagnostics.

80-20-review