The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs shell commands using variables derived from user input or external metadata without adequate sanitization. In SKILL.md, variables such as ${PR_NUMBER}, ${REPO_NAME}, and ${BRANCH_NAME} are used directly in commands like gh pr view ${PR_NUMBER}, gh pr diff ${PR_NUMBER}, and gh pr checkout ${PR_NUMBER}. If these variables contain shell metacharacters (e.g., semicolon, pipe, or backticks), they could lead to arbitrary command execution on the host system.
[PROMPT_INJECTION]: The skill has a significant surface for indirect prompt injection because it processes untrusted code changes.
Ingestion points: The skill reads external, untrusted code into a diff file (${DIFF_FILE}) in Step 4 and Step 5 of SKILL.md.
Boundary markers: No explicit delimiters or instructions are provided to the sub-agents to ignore instructions embedded within the code diff.
Capability inventory: The skill possesses the ability to write files to the local file system and submit comments to GitHub PRs via the arinhub-submit-code-review skill.
Sanitization: There is no evidence of sanitization, filtering, or validation of the content within the diff file before it is passed to multiple LLM-based sub-agents for analysis. This allows an attacker to embed malicious instructions within a Pull Request that could influence the review's outcome or manipulate the agent's behavior.

arinhub-code-reviewer