The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill fetches PR comments and reviews via scripts/poll-pr.sh and scripts/triage-pr.sh and is explicitly instructed in SKILL.md (Step 13) to "Address comments that are clearly actionable". This creates a surface for attackers to influence the agent's behavior via malicious comments.
Ingestion points: GitHub PR comments, review bodies, and inline review comments (fetched via gh api).
Boundary markers: Absent. No delimiters or "ignore instructions" warnings are applied to the external content before it enters the agent context.
Capability inventory: The agent can modify code, execute git commit, git push, and gh pr merge, potentially allowing an injector to exfiltrate code or merge malicious changes.
Sanitization: Absent. Content is passed directly as strings (truncated to 200 characters in some cases) to the agent.
Command Execution (SAFE): The skill's use of git, gh CLI, and local helper scripts is appropriate for its stated purpose. No unauthorized command execution or privilege escalation attempts were detected.

create-pr