The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts/route.sh script dynamically loads agent prompts from the local filesystem using paths constructed from the agents parameter in the input JSON. Because these parameters are not sanitized for directory traversal sequences, it may be possible to read arbitrary files from the system and include their content in the agent's context.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted code diffs and incorporates them into prompts for analysis agents without sufficient isolation markers. An attacker could embed instructions in code comments to influence the review process.
Ingestion points: Git diffs are read in SKILL.md and diff-methods/git-ref-diff.md via the Read tool and git diff commands.
Boundary markers: The orchestration does not wrap diff content in protective delimiters or provide explicit 'ignore' instructions to the sub-agents regarding embedded data.
Capability inventory: The skill possesses capabilities for file system access, shell command execution, and network communication via curl and gh CLI.
Sanitization: There is no content validation or sanitization performed on the diff data before it enters the agent's prompt context.
[DATA_EXFILTRATION]: The skill is designed to transmit review summaries and comments to external services like GitHub and Forgejo using API tokens or authenticated CLI tools. While this is expected behavior, the combination of local file access and network capabilities creates a risk surface for exfiltration if the prompt orchestration is compromised.

code-review