The Agent Skills Directory

[COMMAND_EXECUTION]: Step 4 of the review process is vulnerable to command injection. It uses an unquoted heredoc (cat <<PROMPT) to construct the input for the Codex tool. The variable ${CHANGED_FILES}, which contains filenames from the repository, is interpolated into this heredoc. If a filename contains shell metacharacters such as backticks (`) or command substitution syntax ($(...)), the shell will execute those commands locally during the interpolation phase.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection (Category 8) because it processes untrusted data from the local repository and passes it to another AI model without sanitization.
Ingestion points: The skill reads repository data using git diff in Step 3 and accesses the file system directly via the -C flag in Step 4.
Boundary markers: No delimiters or boundary markers (like XML tags or specific separators) are used to isolate the untrusted code content from the system instructions.
Capability inventory: The skill has the ability to execute shell commands (bash), read the entire repository, and write files to the temporary directory.
Sanitization: There is no evidence of sanitization, escaping, or validation of the content retrieved from the repository before it is included in the prompt.
[DATA_EXFILTRATION]: Sensitive technical information, including code diffs and detailed audit findings, is written to files in the /tmp/ directory (e.g., /tmp/qa-full-diff.patch). On many multi-user systems, files in /tmp/ are world-readable by default, potentially exposing source code and discovered vulnerabilities to other users on the same machine.

qa