The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection in code-reviewer.md. It ingests untrusted data from variables like {WHAT_WAS_IMPLEMENTED}, {PLAN_OR_REQUIREMENTS}, and {DESCRIPTION} which are then interpolated directly into the system prompt. There are no boundary markers (e.g., XML tags, triple-backticks) or explicit instructions to ignore potentially malicious instructions embedded within the processed code or documentation. An attacker could influence the agent's behavior by embedding instructions in the code comments or task descriptions.
[COMMAND_EXECUTION]: The code-reviewer.md template contains shell commands git diff --stat {BASE_SHA}..{HEAD_SHA} and git diff {BASE_SHA}..{HEAD_SHA}. These commands rely on the variables {BASE_SHA} and {HEAD_SHA}. While the SKILL.md instructions recommend using git rev-parse to generate these values, there is no validation or escaping performed on these variables before they are interpolated into the shell command. If a malicious input or an automated process provides a value containing shell metacharacters (e.g., ;, &, |), it could lead to command injection in environments where the agent executes these templates without strict validation.

requesting-code-review