The Agent Skills Directory

[COMMAND_EXECUTION]: The SKILL.md file defines several workflows that involve executing shell commands with git. These commands use variables extracted from user requests, such as <file-path>, <branch>, and <branch1>..<branch2> (e.g., git diff <branch1>..<branch2>). If the agent environment executes these via a shell without strict sanitization, an attacker could provide malicious branch names or paths containing shell metacharacters to execute arbitrary code.
[PROMPT_INJECTION]: This skill is vulnerable to indirect prompt injection as it ingests untrusted data from the repository being reviewed. 1. Ingestion points: The skill reads file contents and git diff output as described in the Scope Resolution and Workflow sections of SKILL.md. 2. Boundary markers: The skill lacks explicit delimiters or instructions to treat ingested code content as data rather than instructions. 3. Capability inventory: The skill can execute shell commands (git) and read local workspace files. 4. Sanitization: There is no mention of sanitizing or escaping the content retrieved from files or git output before it is processed by the agent.

review-code-changes