The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and process untrusted external data from GitHub Pull Requests (titles, descriptions, and user comments) while maintaining active tool-use capabilities.
Ingestion points: Untrusted data enters the agent context via the <formatted_context>, <pr_or_issue_body>, and <comments> tags as described in SKILL.md.
Boundary markers: The skill relies on XML-like tags to delimit external content, which provides a basic structure but does not fully prevent an attacker from escaping these boundaries with adversarial input.
Capability inventory: The skill has the authority to execute shell commands (gh and git) and spawn multiple sub-agents to perform investigations, which could be abused if an injection is successful.
Sanitization: There is no explicit logic described for sanitizing or escaping the content retrieved from GitHub before it is processed by the agent or its sub-agents.
[COMMAND_EXECUTION]: The skill makes extensive use of the gh and git CLI tools to interact with local and remote repositories. While these are intended functions for a PR review tool, they represent a significant capability surface that would be the primary target for any successful prompt injection attack.

pr-review