The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes a specific Python script located at a hidden path .claude/scripts/code_graph with arguments and JSON output formatting. Running local scripts from within a repository can be dangerous if the repository's contents have been tampered with or originate from an untrusted source. Evidence: Phase 2 includes the command python .claude/scripts/code_graph trace <changed-file> --direction downstream --json.\n- [PROMPT_INJECTION]: The instructions use repeated high-pressure directives ('MANDATORY IMPORTANT MUST ATTENTION', 'NON-NEGOTIABLE') and imperative language designed to override the agent's default behavior and enforce specific procedural adherence. Evidence: Extensive use of these phrases and 'FORBIDDEN' throughout the skill's mindset and phase definitions.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted code and documentation files and uses them to generate analysis reports without sufficient sanitization or isolation.\n- [PROMPT_INJECTION]: Evidence Chain for Indirect Prompt Injection: Ingestion points: Phase 0 and Phase 3 read files matching project documentation and source code paths (e.g., docs/project-reference/*.md, docs/project-config.json). Boundary markers: The skill instructions do not provide delimiters or warnings to ignore instructions embedded within reviewed files. Capability inventory: The agent has access to Bash (shell execution), Write (file creation), and Agent (sub-agent spawning) tools. Sanitization: No sanitization or validation logic is defined for data read from external files.

review-architecture