The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to search for and identify files by passing the $ARGUMENTS variable directly to Grep and Glob tools. If the user-supplied input contains shell metacharacters or malicious commands, it could lead to arbitrary command execution depending on how the agent's underlying tools handle shell escaping.
[PROMPT_INJECTION]: The skill implements a custom "Confidence Scoring" mechanism in Step 4 that silently drops any findings with a score below 80/100. This behavior is explicitly noted in the 'Gotchas' section as potentially filtering out legitimate security issues with 'no trace', which effectively suppresses the reporting of vulnerabilities to the user.
[DATA_EXFILTRATION]: When the --multi flag is present, the skill is instructed to use the second-opinion tool to send code context (via git diff --cached) to external advisors (Gemini and Codex). While these are well-known services, this represents a transfer of potentially sensitive repository data to external third-party models.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests untrusted data from the repository during the review process.
Ingestion points: Reads repository files and staged changes based on $ARGUMENTS (SKILL.md).
Boundary markers: Absent. The prompts for parallel review agents do not include delimiters or instructions to ignore embedded commands in the code being reviewed.
Capability inventory: The skill uses grep, glob, git blame, and calls several sub-tools including review-comments, test, review-interfaces, and the Skill tool for external model interaction.
Sanitization: Absent. There is no evidence of validation or sanitization for the code content retrieved before it is passed to the analysis agents.

code-review