The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes commands derived from the project being reviewed, specifically {LINT_FIX_COMMAND} and {BUILD_COMMAND} found in CLAUDE.md or package.json. This enables arbitrary command execution if the reviewed project contains malicious script definitions.
[COMMAND_EXECUTION]: The workflow depends on the execution of several local shell scripts (scripts/emit-review-gate.sh, scripts/resolve-feature.sh). These scripts must be present and secure within the project environment.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by ingesting untrusted data from the repository and interpolating it into prompts for the Codex MCP tool.
Ingestion points: Feature request documentation (.md files) and historical nit logs (.claude_nit_history.json) are read and processed in SKILL.md (Steps 1.5 and 1.6).
Boundary markers: While some XML tagging is used for deferred context, the implementation lacks robust delimiters for acceptance criteria injected into the SPEC_CHECKLIST variable.
Capability inventory: The agent has broad shell access via Bash(bash:*) and the ability to invoke external MCP tools and sub-tasks.
Sanitization: Step 1.6 specifies basic sanitization (truncation, character stripping), but Step 1.5 (specification-driven review) does not explicitly sanitize the criteria extracted from potentially attacker-controlled markdown files.

codex-code-review