The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It retrieves issue titles, descriptions, and comments from external GitLab or GitHub repositories and processes them autonomously without user intervention.
Ingestion points: The issue_title, issue_description, and issue_comments fields are fetched from remote sources in Step 1 and used throughout the workflow.
Boundary markers: No boundary markers or "ignore instructions" warnings are used when interpolating this untrusted data into the persona sub-agent prompts in Step 4.
Capability inventory: The skill can explore the codebase using git, grep, and glob, read arbitrary files for context, spawn sub-agents, and post comments back to the remote repository.
Sanitization: No sanitization, escaping, or validation of the retrieved issue content is performed before it is used to drive the agent's logic.
[DATA_EXFILTRATION]: Maliciously crafted content within an issue description or comment could trick the agent into using its codebase exploration capabilities to locate sensitive files (such as configuration files or internal documentation) and include summaries of that data in the review report, which is then posted publicly to the issue tracker using glab or gh.
[COMMAND_EXECUTION]: The skill executes multiple CLI tools (glab, gh, git, grep) autonomously. The parameters for these commands and the logic driving their use are influenced by untrusted data retrieved from external issues, creating a surface for manipulation through the agent's task execution.

issue-review