The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection by interpolating untrusted data into instructions for specialized sub-agents. This occurs across the entire phased workflow.
Ingestion points: The $ARGUMENTS placeholder in all sub-skill markdown files (including sub-skills/1a-code-quality-analysis.md, sub-skills/2a-security-vulnerability-assessment.md, and others) represents external code content that is directly inserted into the agent's context during task orchestration.
Boundary markers: No delimiters (such as XML tags or markdown fences) or "ignore previous instructions" warnings are used to separate the untrusted code from the agent's instructions in any of the sub-skill prompts. The input is simply appended or interpolated into the command string.
Capability inventory: The skill utilizes the Task tool to invoke high-capability sub-agents (e.g., security-auditor, architect-review, deployment-engineer) that perform deep analysis of security vulnerabilities, architecture, and CI/CD pipelines. This increases the impact if the agent's reasoning is compromised.
Sanitization: There is no evidence of sanitization, escaping, or validation of the input code before it is passed to the sub-agents, allowing embedded malicious instructions, comments, or specially crafted patterns to potentially override the intended review behavior.

comprehensive-review-full-review