The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingest and processes external data from GitHub pull request comments to determine its next autonomous actions.
Ingestion points: The scripts scripts/run_autopilot_loop.py and scripts/export_copilot_feedback.py fetch review bodies and thread comments from GitHub via gh api graphql calls.
Boundary markers: While the skill organizes data into structured artifacts like cycle.json and context.md, it does not utilize delimiters or explicit instructions for the LLM to ignore or treat the content of the Copilot comments as untrusted data.
Capability inventory: The skill possesses significant capabilities, including the ability to resolve review threads, post replies to PRs, manage PR reviewers via the gh CLI, and write state files to the local .context/ directory.
Sanitization: No sanitization, filtering, or escaping is performed on the body field of the ingested comments before they are passed to the agent for processing in Stage 3.

gh-autopilot