The Agent Skills Directory

[PROMPT_INJECTION]: The skill implements a 'Human-in-the-loop' (HITL) review mode that processes external input from the Proof editor (proofeditor.ai). The instructions in references/hitl-review.md Phase 2.3 and 2.4 direct the agent to automatically apply 'imperative' feedback found in comments (e.g., 'rename X to Y', 'remove this'). This creates an indirect prompt injection surface where a malicious actor or a compromised shared document could induce the agent to perform unauthorized modifications to local files or inject malicious content into the codebase.
[DATA_EXFILTRATION]: The core functionality involves reading local markdown documents and uploading them to a non-whitelisted third-party domain (proofeditor.ai). While the skill's description clearly states this intent, the automated transfer of potentially sensitive project documentation to an external cloud service constitutes a data exposure risk.
[COMMAND_EXECUTION]: The skill relies on the Bash tool to perform network requests and manage local files. It provides 'recipes' (e.g., in references/hitl-review.md) that construct shell commands using variables derived from external API responses, such as document slugs and access tokens. This pattern introduces a risk of command injection if the remote service provides malicious metadata that is improperly handled during shell expansion.
[PROMPT_INJECTION]: The references/hitl-review.md file instructs the agent to use specific tools for user interaction (e.g., AskUserQuestion) that are not included in the allowed-tools manifest in SKILL.md. While the instructions provide a fallback to chat-based interaction, this inconsistency in metadata can lead to unexpected agent behavior or the failure of critical safety checkpoints (such as confirming file overwrites during synchronization).

ce-proof