The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes dynamic context injection (the ! syntax) within SKILL.md to execute git commands such as git status, git diff, and git log automatically when the skill is loaded. While these specific commands are typically benign for project context gathering, they represent a mechanism for silent command execution.
[COMMAND_EXECUTION]: In Phase 1.5 of the methodology, the skill instructs the agent to search for and execute a shell script named security-scan.sh from the repository's local file system. Executing scripts from an untrusted or newly cloned repository—especially one being reviewed for potential vulnerabilities—presents a risk of command execution if the script is malicious or has been tampered with.
[PROMPT_INJECTION]: Indirect prompt injection surface detected. Ingestion points: git diff content, trivy-*.json dependency scan results, and gitleaks.json secret detection reports. Boundary markers: No specific delimiters or instructions to ignore embedded commands are defined for the ingested content. Capability inventory: File writing, directory creation (mkdir -p), GitHub PR commenting (gh pr comment), and execution of local shell scripts. Sanitization: The skill lacks explicit sanitization or validation of external data before it is interpolated into prompts. This allows malicious code or comments in a PR to potentially influence the reviewer's output or trigger unauthorized tool actions.

security-review