The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from the project's git environment to generate summaries.
Ingestion points: The skill reads staged diffs using git diff --cached and recent history via git log (SKILL.md).
Boundary markers: There are no specific delimiters or instructions to separate the diff content from the agent's primary instructions, allowing content within the code changes to potentially influence the model's behavior.
Capability inventory: The skill uses local bash commands for git operations; it does not have network access or file-write capabilities that would allow for higher-impact exploitation.
Sanitization: No sanitization or filtering is performed on the ingested diff content before it is processed by the model.
Remediation: Wrap external content in clear delimiters (e.g., XML tags) and provide explicit instructions to the agent to treat the wrapped content strictly as data and to ignore any instructions found within it.

commit-message