The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes multiple local shell commands to manage project state and orchestrate the review process.
Uses git, bd, and jq to validate project artifacts and the dependency graph integrity.
Employs opencode run to launch three parallel sub-agent sessions for multi-model evaluation.
[DATA_EXFILTRATION]: Local project content and documentation are sent to external LLM providers (OpenAI, Google, and Anthropic) as part of the multi-model review workflow.
Ingests content from .llmtmp/ artifacts, README.md, CLAUDE.md, and project documentation in .llmdocs/.
Dynamically reads additional files specified in the plan's 'plan documents' section.
This behavior is consistent with the skill's stated purpose of cross-model consensus but involves sharing project data with third-party AI services.
[PROMPT_INJECTION]: The skill demonstrates an indirect prompt injection surface and uses behavior-override instructions.
Ingestion points: Processes .llmtmp/ralph-plan.md, README.md, CLAUDE.md, .llmdocs/*.md, and user-defined 'plan documents' (parsed in Step 4).
Boundary markers: Wrapped content uses === path === headers, but there are no explicit instructions to the models to ignore embedded directives within that content.
Capability inventory: The sub-agents invoked via opencode run are capable of performing tool calls (e.g., writing output files).
Sanitization: No escaping, validation, or sanitization of the ingested file content is performed before interpolation into the sub-reviewer prompts.
Behavioral instructions: The sub-agent prompt includes forceful directives intended to override default model behavior (e.g., "Nobody reads your text responses", "Do not ask questions", "Your VERY NEXT action must be a tool call").

ralph-review-deep