The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted content (code changes and implementation descriptions) by interpolating them directly into the subagent's instructions without sanitization or boundary markers.
Ingestion points: The placeholders {WHAT_WAS_IMPLEMENTED}, {PLAN_OR_REQUIREMENTS}, and {DESCRIPTION} in code-reviewer.md, as well as the output of git diff.
Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands within the reviewed content.
Capability inventory: The subagent executes shell commands (git diff) and performs technical evaluations based on the provided data.
Sanitization: Absent. Content is processed as provided.
[COMMAND_EXECUTION]: The skill and its referenced template execute several git-related shell commands to identify and extract code changes for review.
Evidence: git rev-parse, git log, and git diff in SKILL.md and code-reviewer.md.
Context: These operations are consistent with the skill's primary purpose of automating code reviews.

requesting-code-review