The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection as it processes untrusted content from feature branches while possessing broad execution capabilities.
Ingestion points: Code, diffs, and commit history from the feature branch being reviewed (SKILL.md).
Boundary markers: Absent; no delimiters or instructions are provided to the agent to disregard commands found within the source code.
Capability inventory: The agent has access to Bash (including bash:* and git:* patterns), MCP tools (mcp__codex__codex), and file system tools (Read, Grep, Glob).
Sanitization: There is no evidence of sanitization, escaping, or filtering of the branch content before it is read into the agent's context.

codex-review-branch