The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): The skill instructs the agent to execute arbitrary setup commands found in the repository branch being reviewed.
Evidence: Step 6 ('Set Up the Repository') commands the agent to 'Follow the documented setup steps exactly' and lists examples like 'npm install', 'pip install', and 'Building assets or compiling code'.
Risk: Pull request content is untrusted external input. An attacker can submit a PR with a malicious README that includes destructive commands or backdoors disguised as setup steps. Following these instructions 'exactly' leads to full system compromise.
[COMMAND_EXECUTION] (MEDIUM): The skill utilizes several shell commands with parameters extracted from external input (URLs or branch names) without explicit sanitization.
Evidence: Commands such as gh pr view <url-or-number> and git worktree add "$WORKTREE_PATH" use inputs that could be crafted to perform command injection or path traversal (e.g., using ../ in a branch name if not validated by the platform).
[PROMPT_INJECTION] (LOW): The skill contains a significant surface for Indirect Prompt Injection.
Evidence: The agent is tasked with reading and obeying instructions from untrusted files (README.md, DEVELOPMENT.md).
Mandatory Evidence Chain (Category 8):
Ingestion points: Repository files such as README.md, CONTRIBUTING.md, DEVELOPMENT.md, and SETUP.md within the WORKTREE_PATH.
Boundary markers: Absent. The skill does not instruct the agent to treat file content as untrusted data or to ignore embedded instructions.
Capability inventory: The agent has access to git, gh, glab, and general shell execution via the terminal for setup tasks (npm, pip, make, etc.).
Sanitization: Absent. The instructions explicitly state to 'Follow the documented setup steps exactly' and 'Do not assume the setup process,' which encourages the agent to rely entirely on the external file content.

pull-request-review