The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted source code and diff data into the context of sub-agents. A malicious actor could attempt to place instructions within code comments to influence the review outcome.
Ingestion points: Untrusted content is interpolated via {{DIFF_CONTENT}} in references/specialist-prompt-template.md.
Boundary markers: The prompt template uses Markdown headers and code blocks to separate instructional text from the diff data.
Capability inventory: Sub-agents are explicitly restricted to read-only tools (Read, Grep, Glob) via the subagent_type="code-reviewer" configuration.
Sanitization: The scripts/verify_citations.py script mechanically validates that any code quoted in a finding actually exists in the source file, preventing fabricated or malicious findings from reaching the final report.
[COMMAND_EXECUTION]: The skill executes local Python scripts (scripts/triage_perspectives.py and scripts/verify_citations.py) to handle diff processing and citation validation. These scripts perform deterministic logic without external network access or dangerous shell operations.
[EXTERNAL_DOWNLOADS]: The skill references a validation script in skills/agent-loops/. This is a internal cross-skill dependency for shared infrastructure and does not involve untrusted remote sources.

multi-specialist-review