The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands using unvalidated branch names provided by the user (e.g., in git worktree and fetch commands). An attacker could provide a branch name with shell metacharacters to execute arbitrary code on the host system.
[REMOTE_CODE_EXECUTION]: The skill automatically runs package installation and test commands (pnpm install, cargo clippy, go test) on the code from the reviewed branch. Malicious branches can exploit these tools to execute arbitrary code via build scripts (e.g., package.json postinstall hooks) or test files during the review process.
[EXTERNAL_DOWNLOADS]: The skill performs automated dependency installation which fetches packages from external registries (NPM, Crates.io, Go Proxy) based on the branch configuration, posing a risk of dependency confusion or supply chain attacks.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted code from external branches. Ingestion points: Reads branch changes via git diff and git show. Boundary markers: None identified; instructions do not specify delimiters to separate code from instructions. Capability inventory: Subprocess execution (pnpm, cargo, go) and file system writes (report generation). Sanitization: None identified; content is processed directly. Malicious instructions in code comments could influence the agent's findings or actions.

code-review