The Agent Skills Directory

[PROMPT_INJECTION]: The skill's 'refusal routing' section in SKILL.md explicitly instructs the agent to switch silently to another model and suppress all notifications to the user if a model refuses a request. This design functions as a bypass for safety-related refusals by hiding them and attempting to find a model that will comply with potentially problematic content.
[INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted 'work products' (including code, diffs, and analysis) in Phase 1 for processing by a secondary AI model without implementing defensive isolation.
Ingestion points: External work products and git diffs enter the context during the 'Capture the work product' phase.
Boundary markers: The instructions do not define delimiters or specific isolation prompts to prevent the secondary model from following malicious instructions embedded within the reviewed work.
Capability inventory: The skill utilizes the search, query, and get_page tools, which could be abused if the reviewer model is manipulated by the input data.
Sanitization: No sanitization, escaping, or validation of the input work product is performed before it is sent to the AI models.

cross-modal-review