The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill recommends installing the Cursor CLI using a piped shell script (curl ... | bash) from the well-known service cursor.com. While this is a standard installation method for this tool, it involves executing remote code.
[COMMAND_EXECUTION]: The skill executes various CLI tools (agent, claude, codex) and standard shell utilities (git, mkdir, tee) to facilitate the review process. A potential command injection vulnerability exists in SKILL.md where the current git branch name is interpolated into a directory path used in shell commands (mkdir -p "/tmp/code-review-${BRANCH}"). If a repository contains a maliciously named branch (e.g., using backticks or subshell syntax), it could lead to arbitrary command execution when the skill is initialized.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). It ingests untrusted data from git diff, file contents, and external metadata (tickets/conversations) and passes them to secondary AI models. The primary agent then synthesizes this feedback and is instructed to 'Implement fixes' based on the models' output. This creates a loop where malicious instructions embedded in a code change or ticket could influence the agent to perform unintended modifications to the codebase.
Ingestion points: SKILL.md (Workflow Step 1 and 2), assets/code-review-prompt-template.md (Summary/Diff/File sections).
Boundary markers: Uses Markdown headers and code blocks to separate sections, but lacks explicit instructions to the reviewer models to ignore embedded directives.
Capability inventory: Subprocess execution (AI CLIs, git), file system writes (implementing fixes), and potential network access depending on the configured CLI tools.
Sanitization: No evidence of sanitization or validation of the ingested code or metadata before processing.

multi-model-code-review