The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface.
Ingestion points: Untrusted data enters the agent context in SKILL.md via git log, git diff (Step 2), and gh pr view (Step 3), which read commit messages, code changes, and existing PR metadata.
Boundary markers: Absent. The skill does not use specific delimiters or instructions for the agent to disregard potential commands embedded within the ingested text.
Capability inventory: The skill performs shell executions for repository inspection and PR modification. Step 6 uses gh pr create and gh api with shell heredocs, which creates a potential execution vector if the agent is manipulated into outputting specific terminator strings.
Sanitization: Absent. While guidelines exist for filtering PII, there is no technical validation or escaping of the AI-generated strings before they are used as shell command arguments.
[COMMAND_EXECUTION]: Potential for command injection via shell heredoc manipulation. In SKILL.md (Step 6), the skill constructs shell commands using cat <<'EOF'. If an attacker successfully influences the PR content (via the indirect injection surface) to include the EOF terminator followed by malicious shell commands, these commands could be executed in the user's environment during the PR update process.

pr-writer