The Agent Skills Directory

[PROMPT_INJECTION]: The skill is subject to indirect prompt injection because it processes untrusted repository content like source code and documentation. However, it implements a strict hard rule requiring the agent to treat this content as data rather than instructions and to report suspicious content as a security finding.
Ingestion points: All files within the repository being audited, including source code, comments, and README files, as specified in SKILL.md.
Boundary markers: Explicit instructions in Hard Rule 5 mandate treating repository content as data and ignoring embedded instructions.
Capability inventory: The skill uses read-only subagents for exploration and restricts plan execution to isolated git worktrees when supported.
Sanitization: Findings are required to be manually vetted and re-verified against the codebase by the agent before being included in plans (Phase 3: Vet and Prioritize).
[COMMAND_EXECUTION]: The skill performs read-only reconnaissance and verification commands, such as git rev-parse, tsc --noEmit, and linting. It explicitly forbids the execution of mutating commands within the user's primary working directory (Hard Rule 2).
[DATA_EXFILTRATION]: The skill includes functionality to publish implementation plans as GitHub issues via the gh CLI. While this involves network transmission to a well-known service (GitHub), it includes mandatory preflight status checks and requires explicit user confirmation when dealing with public repositories or potentially sensitive plan data (references/closing-the-loop.md).

codebase-advisor