The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by fetching and processing untrusted pull request bodies from GitHub.
Ingestion points: The gh pr view command in SKILL.md retrieves content from pull request descriptions, which are external and can be modified by third parties.
Boundary markers: There are no delimiters or instructions provided to the agent to distinguish between valid data and embedded instructions within the PR body.
Capability inventory: The skill utilizes the gh CLI tool with broad permissions (gh:*) to execute API calls and shell commands.
Sanitization: No sanitization, escaping, or validation logic is present to handle malicious content inside the retrieved PR body.
[COMMAND_EXECUTION]: The provided bash examples demonstrate unsafe shell interpolation of untrusted external data.
Evidence: In SKILL.md, the example command gh api -X PATCH ... -f body="${CURRENT_BODY}..." interpolates the CURRENT_BODY variable directly into a double-quoted shell string.
Risk: If the PR body contains shell metacharacters such as backticks or $(...) sequences, the shell environment executing the agent's script may evaluate and execute those commands.

update-pr-body