The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it interpolates untrusted data into the code review agent's context. (1) Ingestion points: Variables such as {WHAT_WAS_IMPLEMENTED}, {DESCRIPTION}, and {PLAN_OR_REQUIREMENTS} in code-reviewer.md are populated from external task descriptions or plan files. (2) Boundary markers: There are no delimiters or system instructions to ignore instructions embedded within the provided text. (3) Capability inventory: The subagent can execute shell commands (git diff, git log) and read repository contents. (4) Sanitization: No input validation or escaping is applied to the fields before they are used in the prompt.
[COMMAND_EXECUTION]: The template uses placeholders to construct shell commands, which presents a command injection risk. Evidence: In code-reviewer.md, the commands git diff --stat {BASE_SHA}..{HEAD_SHA} and git diff {BASE_SHA}..{HEAD_SHA} use variables that could be manipulated to execute arbitrary commands if the shell environment does not properly escape the inputs.

superpowers-requesting-code-review