The Agent Skills Directory

[COMMAND_EXECUTION]: The skill relies on executing various shell commands (git status, git symbolic-ref, git merge-base, git diff) to automate the detection of code changes and review targets. This grants the agent direct access to the local shell environment.
[REMOTE_CODE_EXECUTION]: The skill dynamically determines and loads additional instruction files (skills) from relative sibling paths (e.g., ../clean-typescript-{topic}/SKILL.md) based on variables derived from file classifications. Loading executable instructions from computed paths is a medium-risk pattern that can be exploited if path construction is manipulated.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data (code diffs and file contents) without explicit instructions to ignore or sanitize commands embedded within that data. An attacker could include malicious instructions in a code comment to influence the agent's review verdict or behavior.
Ingestion points: Output from git diff and the contents of files identified for review in SKILL.md.
Boundary markers: None identified. There are no instructions provided to the agent to delimit the code content or to disregard embedded natural language instructions.
Capability inventory: The skill has the ability to execute shell commands (git) and read other local files to load further instructions.
Sanitization: None. The skill does not describe any validation or escaping of the content being reviewed before it is processed by the agent.

clean-code-reviewer