The Agent Skills Directory

[PROMPT_INJECTION]: The skill contains instructions that explicitly override standard safety guardrails by forbidding the agent from asking for user confirmation during its automated 'Fix Loop'. It uses imperative markers like 'CRITICAL' to mandate autonomous code changes and commits without oversight.
[COMMAND_EXECUTION]: The skill relies on 'eval' to execute shell commands dynamically generated by a local script ('flowctl'). This is a dangerous pattern that allows for arbitrary code execution within the shell environment.
[DATA_EXFILTRATION]: The skill aggregates and transmits sensitive repository data, including full source code of modified files, epic specifications, and task metadata, to external backends (RepoPrompt or Codex) for analysis.
[COMMAND_EXECUTION]: The skill performs automated filesystem modifications and repository actions ('git commit') in a recursive loop based on instructions received from external services, without providing a manual checkpoint for the user to review the changes.
[PROMPT_INJECTION]: The skill exhibits a significant Indirect Prompt Injection surface. Ingestion points: External epic specifications and feedback from the review backends. Boundary markers: None are implemented to separate untrusted external input from internal instructions. Capability inventory: The skill has permissions to write to the filesystem, execute shell commands, and perform git commits. Sanitization: No validation or sanitization is performed on the feedback before it is used to direct automated code fixes.

flow-next-epic-review