The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It ingests untrusted data from external sources including PR/MR descriptions (via gh pr view --json body) and commit messages (via gh pr view --json commits). An attacker could embed malicious instructions within these fields to influence the agent's review logic or the contents of the generated report.
Ingestion points: SKILL.md (Phase 1 and Phase 2) reads PR bodies and commit histories.
Boundary markers: No explicit delimiters or 'ignore embedded instructions' warnings are applied to the ingested content before it is processed by the review tools.
Capability inventory: The skill possesses the ability to execute shell commands, create issues on GitHub/GitLab, and post comments to PRs.
Sanitization: There is no evidence of sanitization or escaping of PR/commit text before it is used in subsequent steps.
[COMMAND_EXECUTION]: The skill relies extensively on executing shell commands using well-known CLI tools (gh, glab, find, cat, jq). These commands are used to establish scope, gather changes, and perform version validation. While the implementation uses standard patterns, the dynamic construction of these commands with PR-related variables presents a standard surface for monitoring.
[EXTERNAL_DOWNLOADS]: The skill interacts with well-known technology services (GitHub and GitLab) via their official CLI tools to fetch repository data and PR metadata. These operations target trusted domains and are considered safe under the standard operating model of a PR review tool.

pr-review