The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it instructs the agent to ingest and act upon PR/MR comments and review threads which are external, untrusted inputs.
Ingestion points: references/pr-comment-workflow.md fetches unresolved threads and discussions via gh api and glab api calls.
Boundary markers: The skill does not define specific delimiters or instructions to differentiate between ingested comment data and the agent's system instructions.
Capability inventory: The skill possesses significant capabilities including modifying source code to fix issues, resolving threads, and merging pull requests.
Sanitization: No sanitization, escaping, or validation of the external comment content is performed before processing.
[COMMAND_EXECUTION]: The skill makes extensive use of the gh (GitHub) and glab (GitLab) CLI tools for repository operations.
In references/allowlist.md, the skill recommends auto-approval patterns for these commands. Some patterns, such as *query(*) for GraphQL, are designed to restrict operations to read-only queries but rely on simple glob matching that could potentially be bypassed by sophisticated attackers depending on the host environment's implementation.

git-pr