The Agent Skills Directory

[PROMPT_INJECTION]: The skill processes user-supplied problem descriptions which are subsequently interpolated into prompts for sub-agents and external analysis calls, creating a risk for indirect prompt injection.
Ingestion points: The user_issue_description field is collected from user input in action-init.md.
Boundary markers: While the skill uses structured prompt templates (e.g., [CONTEXT], [TASK], [INPUT]) in files like action-analyze-requirements.md and action-gemini-analysis.md, these are insufficient to fully prevent adversarial manipulation of the prompt logic.
Capability inventory: The skill can read and write files, execute shell commands, and invoke other sub-agents through the Task tool.
Sanitization: No explicit sanitization or filtering is applied to the user description before it is embedded into LLM prompts.
[COMMAND_EXECUTION]: The skill dynamically constructs and executes shell commands using the Bash tool to perform advanced analysis.
Evidence: In action-gemini-analysis.md, the skill builds a command for the ccw cli that includes user-derived strings. Although a basic escapeForShell function is used, this pattern of dynamic command construction is inherently sensitive.
[REMOTE_CODE_EXECUTION]: As part of its primary functionality, the skill is capable of generating code changes and writing them directly to the filesystem in action-apply-fix.md. While necessary for a refactoring tool, this capability allows for significant modifications to the user's workspace.
[EXTERNAL_DOWNLOADS]: The skill references and interacts with the Google Gemini service via a CLI tool to perform codebase analysis. This involves transmitting local file content to a remote, well-known technology provider as part of the analysis workflow.

code-quality-specialist