The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes shell commands using variables derived from user input and repository metadata, such as ${PR_NUMBER} and ${REVIEW_ID}. This creates a potential surface for command injection if these parameters are not strictly validated by the agent before being passed to the shell.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes untrusted data from Pull Request titles, descriptions, and code diffs. Ingestion points: PR metadata fetched via gh pr view and code changes retrieved via git diff or gh pr diff. Boundary markers: The skill provides task context to subagents but lacks explicit 'ignore instructions' delimiters for the untrusted content. Capability inventory: Execution of shell commands (git, gh), invocation of other skills, and file system modifications. Sanitization: No content filtering or validation is performed on the ingested PR data.
[COMMAND_EXECUTION]: The skill modifies the user's local repository state by performing git stash and gh pr checkout to review remote code. Although restoration logic is provided in references/restore-working-tree.md, there is a risk of workspace inconsistency or data disruption if the process is interrupted or fails.

ah-review-code