The Agent Skills Directory

[PROMPT_INJECTION]: The skill ingests untrusted data in the form of GitHub PR comments and review threads, which creates a surface for indirect prompt injection. Malicious instructions placed in a PR comment could mislead the agent when it attempts to "Apply fixes" based on the review feedback.
Ingestion points: scripts/fetch_comments.py fetches comments, reviews, and reviewThreads nodes from the GitHub GraphQL API.
Boundary markers: No delimiters or protective instructions are used to separate the external comment content from the agent's instructions.
Capability inventory: According to SKILL.md, the agent is expected to "Apply fixes for the selected comments", which typically grants it file system write access or the ability to execute development commands.
Sanitization: The fetched comment bodies are not sanitized or validated before being processed by the agent.
[COMMAND_EXECUTION]: The instruction in SKILL.md executes a shell command that interpolates the $ARGUMENTS variable: python "$SKILL_DIR/scripts/fetch_comments.py" --pr "$ARGUMENTS". If the execution environment does not sanitize this input, it could allow a user to perform command injection by providing a value containing shell metacharacters (e.g., ;, &, |).

gh-address-comments