The Agent Skills Directory

[COMMAND_EXECUTION]: The skill automates context collection by executing several local command-line tools, including git for branch diffing and the GitHub CLI (gh) for fetching pull request and issue metadata. These operations are used to build the context provided to reviewers.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. It ingests untrusted data from git diff outputs and GitHub metadata (PR/Issue bodies and comments) and interpolates this content directly into the prompts for sub-agents (e.g., reviewer-security, reviewer-code). An attacker could embed malicious instructions in code comments or PR descriptions to influence the behavior of the sub-agents. 1. Ingestion points: Data enters via git diff and gh CLI commands in SKILL.md. 2. Boundary markers: The skill uses markdown comment markers (e.g., ) and sub-agent capability tags, but these do not prevent the LLM from obeying instructions embedded in the ingested data. 3. Capability inventory: The skill can execute shell commands, perform file system operations via mkoutput, and launch multiple parallel sub-tasks. 4. Sanitization: There is no evidence of sanitization or escaping applied to the untrusted content before it is processed.
[COMMAND_EXECUTION]: Utilizes the codex exec tool to run review tasks in a managed environment, supporting both sequential execution and background process management.

subagent-review