The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because its primary function is to process and analyze untrusted external data from GitHub Pull Requests (diffs, descriptions, and comments). An attacker could include malicious instructions within a PR to manipulate the agent's merge recommendation or influence the content of the final report.
Ingestion points: PR metadata, diffs, review comments, and associated issue data fetched via GitHub URLs and the gh CLI (referenced in SKILL.md and scripts/prepare_review_job.py).
Boundary markers: Absent. The scripts and prompt templates do not utilize specific delimiters (e.g., XML tags or unique markers) to isolate untrusted PR content from the agent's instructions.
Capability inventory: The skill possesses file-writing capabilities (to .git-pr-review/ and the project root), subprocess execution (running parallel_vibe.py), and network access (via the gh tool).
Sanitization: Absent. The PR content is interpolated directly into analysis prompts without escaping or validation.
[DATA_EXFILTRATION]: The skill contains explicit instructions in SKILL.md to use the gh CLI tool to upload bug data from a local directory (~/.bensz-skills/bugs/) to an external repository controlled by the author (huangwb8/bensz-bugs). While this is presented as a developer diagnostic feature and intended to be triggered by the user, it provides a functional path for local data to be sent to a remote vendor-owned destination.
[COMMAND_EXECUTION]: The skill's architecture relies on executing a Python script located outside its own directory (../parallel-vibe/scripts/parallel_vibe.py). The command is dynamically constructed in scripts/build_parallel_review_plan.py and provided to the agent for execution. This creates a dependency on an external script that is not bundled with the skill itself.

git-pr-review