The Agent Skills Directory

The skill review-pr is a natural language instruction set for an AI agent. It outlines a detailed workflow for reviewing pull requests.

1. Prompt Injection: No direct prompt injection attempts were found. The use of keywords like IMPORTANT and CRITICAL serves as natural instructional language to guide the AI's review process and output format, not to bypass safety guidelines, extract system prompts, or jailbreak the AI. These instructions are benign and part of the skill's intended functionality.

2. Data Exfiltration: No patterns indicating data exfiltration were detected. The skill instructs the AI to use git commands for status and diffs, and gh api commands for posting review comments to GitHub. These are legitimate interactions with public GitHub APIs and do not involve sending sensitive local files to arbitrary external servers.

3. Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, URL/hex/HTML encoding) were found in the skill's markdown content.

4. Unverifiable Dependencies: The skill relies on the AI's internal "specialized agents" (Haiku, Sonnet, Opus) and instructs the AI to use standard, commonly available tools like git and gh. These are not external dependencies that the skill itself downloads or installs from unverified sources.

5. Privilege Escalation: No commands or instructions related to privilege escalation (e.g., sudo, chmod +x, chmod 777, service installation) were found.

6. Persistence Mechanisms: No commands or instructions related to persistence mechanisms (e.g., modifying .bashrc, crontab, authorized_keys) were found.

7. Metadata Poisoning: The skill's metadata (name, description, argument-hint) is benign and accurately reflects its purpose.

8. Indirect Prompt Injection (INFO): As a skill designed to process external user-provided content (pull request code and descriptions), it is inherently susceptible to indirect prompt injection. Malicious instructions embedded within the pull request content could potentially influence the AI's behavior or its execution of git and gh commands. This is an informational risk common to such skills, and users should be aware that the AI will be processing external code.

9. Time-Delayed / Conditional Attacks: No patterns indicating time-delayed or conditional attacks (e.g., date/time checks, usage counters, environment-specific triggers for malicious actions) were found.

Command Execution (INFO): The skill explicitly instructs the AI to run git and gh commands. While these commands are standard and used for benign purposes (fetching PR information, posting comments), the capability for command execution is present. This is not a direct threat from the skill itself, but an inherent capability that could be leveraged if the AI were compromised by an indirect prompt injection.