The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because its core workflow involves ingesting and acting upon untrusted data from GitHub comments. It specifically instructs the agent to extract and follow 'Agent Prompt' sections from external PR comments as primary guidance for fixing code.
Ingestion points: GitHub issue and pull request comments are fetched using the gh api in SKILL.md and references/api-reference.md.
Boundary markers: The skill does not employ boundary markers or instructions to isolate the fetched external text, potentially allowing malicious instructions in a comment to influence the agent's behavior.
Capability inventory: The skill possesses significant capabilities, including the ability to modify local files, execute arbitrary test and lint commands, and perform network operations via the GitHub API (posting replies and resolving threads).
Sanitization: No sanitization or validation logic is defined for the content extracted from the external comments before it is used to guide code modifications.
[COMMAND_EXECUTION]: The skill performs automated command execution by detecting and running project-specific test, lint, and formatting tools (such as npm test, pytest, ruff, and eslint) based on the local environment's configuration, as detailed in references/test-integration.md.
[EXTERNAL_DOWNLOADS]: The references/test-integration.md file suggests that the agent should install missing dependencies using npm install or pip install -r requirements.txt. While this is standard for development workflows, it represents a potential vector for supply chain attacks if the repository configuration is compromised.

qodo-pr-resolver