The Agent Skills Directory

[PROMPT_INJECTION]: The skill identifies and manages the surface for indirect prompt injection inherent in its role as a code reviewer.
Ingestion points: Untrusted code changes are ingested from git diff and gh pr diff as defined in SKILL.md.
Boundary markers: Review prompts in prompts/reviewer-a.md, prompts/reviewer-b.md, prompts/cross-review.md, and prompts/synthesis.md utilize BEGIN_UNTRUSTED_CODE and END_UNTRUSTED_CODE delimiters.
Capability inventory: The skill utilizes subprocess calls to git, gh, and claude CLI tools to perform its functions.
Sanitization: Sub-agents are explicitly instructed to ignore embedded directives and treat the input strictly as code, supported by the use of stdin redirection for data passing.
[DATA_EXPOSURE]: Sensitive code artifacts are protected by creating a restricted temporary directory using mktemp -d followed by chmod 700 in SKILL.md, ensuring that temporary review files are not globally readable.
[COMMAND_EXECUTION]: The skill safely executes CLI tools by avoiding the interpolation of untrusted diff content directly into shell commands, opting instead for file-based input and redirection to the sub-agent CLI.

adversarial-review