The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it is instructed to read and follow project-specific conventions from files like 'CLAUDE.md' and inspect all source code changes and comments within a repository. This data is untrusted and could contain malicious instructions designed to subvert the agent's review logic or influence its findings. Evidence: Phase 1 (Steps 1, 2, and 3) and Phase 2 (Step 2) in 'SKILL.md'. Mandatory Evidence Chain: 1. Ingestion points: The 'Read' tool is used to ingest 'CLAUDE.md' and every changed file in the repository. 2. Boundary markers: No explicit delimiters or instructions to ignore embedded prompts are defined for the ingested content. 3. Capability inventory: Access to 'Bash', 'Read', 'Grep', and 'Glob' tools. 4. Sanitization: Absent. Mitigations: Use explicit boundary markers for external data and include instructions to disregard any embedded prompts.
[COMMAND_EXECUTION]: The skill utilizes the 'Bash' tool to execute existing tests and benchmarking or profiling scripts found within the reviewed repository. This capability involves the execution of local code which could be malicious if the repository content has been compromised. Evidence: Phase 2 (Step 1) and Phase 3 (Step 2) in 'SKILL.md' direct the agent to run tests and benchmarks. Mitigations: Restrict command execution to a sandboxed environment and implement human-in-the-loop confirmation before running project-specific scripts.

systematic-code-review