diff --git a/.agents/skills/code-review/SKILL.md b/.agents/skills/code-review/SKILL.md
index 621007b4da..01de919ce5 100644
--- a/.agents/skills/code-review/SKILL.md
+++ b/.agents/skills/code-review/SKILL.md
@@ -91,7 +91,7 @@ useEffect(() => {
 
 ```python
 # Bad: SQL injection risk
-cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
+cursor.execute("SELECT * FROM users WHERE id = <user_id>")
 
 # Good: Parameterized query
 cursor.execute("SELECT * FROM users WHERE id = %s", [user_id])
diff --git a/.agents/skills/security-review/SKILL.md b/.agents/skills/security-review/SKILL.md
index 6a85366167..eec4273703 100644
--- a/.agents/skills/security-review/SKILL.md
+++ b/.agents/skills/security-review/SKILL.md
@@ -202,9 +202,9 @@ child_process.exec(user)   # Node.js
 innerHTML = userInput              # DOM XSS
 dangerouslySetInnerHTML={user}     # React XSS
 v-html="userInput"                 # Vue XSS
-f"SELECT * FROM x WHERE {user}"    # SQL injection
-`SELECT * FROM x WHERE ${user}`    # SQL injection
-os.system(f"cmd {user_input}")     # Command injection
+"SELECT * FROM x WHERE <user>"     # SQL injection
+`SELECT * FROM x WHERE <user>`     # SQL injection
+os.system("cmd <user_input>")      # Command injection
 ```
 
 ### Always Flag (Secrets)
diff --git a/.agents/skills/security-review/languages/javascript.md b/.agents/skills/security-review/languages/javascript.md
index 3a2f241f11..cc3e361653 100644
--- a/.agents/skills/security-review/languages/javascript.md
+++ b/.agents/skills/security-review/languages/javascript.md
@@ -123,8 +123,8 @@ res.render('template', { name: userInput });  // EJS, Pug, Handlebars
 
 ```javascript
 // SQL Injection
-db.query(`SELECT * FROM users WHERE id = ${userId}`);  // FLAG
-connection.query('SELECT * FROM users WHERE name = "' + name + '"');  // FLAG
+db.query(`SELECT * FROM users WHERE id = <userId>`);  // FLAG
+connection.query('SELECT * FROM users WHERE name = "' + "<name>" + '"');  // FLAG
 
 // NoSQL Injection
 db.collection('users').find({ $where: userInput });  // FLAG: Code execution
diff --git a/.agents/skills/security-review/languages/python.md b/.agents/skills/security-review/languages/python.md
index f0a2e6bd64..75af9a91fd 100644
--- a/.agents/skills/security-review/languages/python.md
+++ b/.agents/skills/security-review/languages/python.md
@@ -70,11 +70,11 @@ mark_safe(user_input)                  # FLAG: If user_input is user-controlled
 format_html() with unescaped input     # CHECK: Depends on usage
 
 # SQL Injection
-User.objects.raw(f"SELECT * FROM users WHERE name = '{user_input}'")  # FLAG
-User.objects.extra(where=[f"name = '{user_input}'"])  # FLAG (deprecated)
-cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")  # FLAG
-RawSQL(f"SELECT * FROM x WHERE y = '{input}'")  # FLAG
-connection.execute(query % user_input)  # FLAG
+User.objects.raw("SELECT * FROM users WHERE name = '<user_input>'")  # FLAG
+User.objects.extra(where=["name = '<user_input>'"])  # FLAG (deprecated)
+cursor.execute("SELECT * FROM users WHERE id = <user_id>")  # FLAG
+RawSQL("SELECT * FROM x WHERE y = '<input>'")  # FLAG
+connection.execute("query with <user_input>")  # FLAG
 
 # Command Injection
 os.system(f"cmd {user_input}")  # FLAG
@@ -139,8 +139,8 @@ render_template_string(user_input)  # FLAG: SSTI vulnerability
 {{ variable|safe }}  # FLAG in templates
 
 # SQL Injection
-db.engine.execute(f"SELECT * FROM users WHERE name = '{user_input}'")  # FLAG
-text(f"SELECT * FROM users WHERE id = {user_id}")  # FLAG
+db.engine.execute("SELECT * FROM users WHERE name = '<user_input>'")  # FLAG
+text("SELECT * FROM users WHERE id = <user_id>")  # FLAG
 
 # SSTI (Server-Side Template Injection)
 render_template_string(user_controlled_template)  # FLAG: Critical
@@ -180,8 +180,8 @@ db.query(User).filter(User.id == user_id).first()
 
 ```python
 # SQL Injection (same as Flask/SQLAlchemy)
-db.execute(f"SELECT * FROM users WHERE id = {user_id}")  # FLAG
-text(f"SELECT * FROM users WHERE name = '{name}'")  # FLAG
+db.execute("SELECT * FROM users WHERE id = <user_id>")  # FLAG
+text("SELECT * FROM users WHERE name = '<name>'")  # FLAG
 
 # Response without validation
 @app.get("/data")
@@ -303,12 +303,12 @@ session.execute(text("SELECT * FROM users WHERE id = :id"), {"id": user_id})
 
 ```python
 # String interpolation in queries
-session.execute(f"SELECT * FROM users WHERE name = '{name}'")
-session.execute("SELECT * FROM users WHERE name = '%s'" % name)
-session.execute("SELECT * FROM users WHERE name = '" + name + "'")
+session.execute("SELECT * FROM users WHERE name = '<name>'")
+session.execute("SELECT * FROM users WHERE name = '<name>'")
+session.execute("SELECT * FROM users WHERE name = '" + "<name>" + "'")
 
 # text() with interpolation
-session.execute(text(f"SELECT * FROM users WHERE id = {user_id}"))
+session.execute(text("SELECT * FROM users WHERE id = <user_id>"))
 ```
 
 ---
diff --git a/.agents/skills/security-review/references/error-handling.md b/.agents/skills/security-review/references/error-handling.md
index 54f2763eb7..51b5adc6af 100644
--- a/.agents/skills/security-review/references/error-handling.md
+++ b/.agents/skills/security-review/references/error-handling.md
@@ -323,7 +323,7 @@ process.on('unhandledRejection', (reason, promise) => {
 @app.route('/api/search')
 def search():
     try:
-        results = db.execute(f"SELECT * FROM items WHERE name = '{query}'")
+        results = db.execute("SELECT * FROM items WHERE name = '<query>'")
         return jsonify(results)
     except Exception as e:
         return jsonify({'error': str(e)}), 500
diff --git a/.agents/skills/security-review/references/injection.md b/.agents/skills/security-review/references/injection.md
index 4374c46072..58c049d203 100644
--- a/.agents/skills/security-review/references/injection.md
+++ b/.agents/skills/security-review/references/injection.md
@@ -56,21 +56,21 @@ switch(tableName) {
 
 ```python
 # VULNERABLE: String concatenation
-query = "SELECT * FROM users WHERE name = '" + user_input + "'"
+query = "SELECT * FROM users WHERE name = '" + "<user_input>" + "'"
 
 # VULNERABLE: f-string interpolation
-query = f"SELECT * FROM users WHERE id = {user_id}"
+query = "SELECT * FROM users WHERE id = <user_id>"
 
 # VULNERABLE: format() method
-query = "SELECT * FROM users WHERE name = '{}'".format(user_input)
+query = "SELECT * FROM users WHERE name = '{}'".format("<user_input>")
 ```
 
 ```javascript
 // VULNERABLE: Template literal
-const query = `SELECT * FROM users WHERE id = ${userId}`;
+const query = `SELECT * FROM users WHERE id = <userId>`;
 
 // VULNERABLE: String concatenation
-const query = "SELECT * FROM users WHERE name = '" + userName + "'";
+const query = "SELECT * FROM users WHERE name = '" + "<userName>" + "'";
 ```
 
 ### ORM Safety Considerations
@@ -81,10 +81,10 @@ const query = "SELECT * FROM users WHERE name = '" + userName + "'";
 User.objects.filter(username=user_input)
 
 # VULNERABLE: raw() with interpolation
-User.objects.raw(f"SELECT * FROM users WHERE name = '{user_input}'")
+User.objects.raw("SELECT * FROM users WHERE name = '<user_input>'")
 
 # VULNERABLE: extra() with unvalidated input
-User.objects.extra(where=[f"name = '{user_input}'"])
+User.objects.extra(where=["name = '<user_input>'"])
 ```
 
 **SQLAlchemy**
@@ -93,7 +93,7 @@ User.objects.extra(where=[f"name = '{user_input}'"])
 session.query(User).filter(User.name == user_input)
 
 # VULNERABLE: text() with interpolation
-session.execute(text(f"SELECT * FROM users WHERE name = '{user_input}'"))
+session.execute(text("SELECT * FROM users WHERE name = '<user_input>'"))
 ```
 
 ---