The Agent Skills Directory

[UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The skill executes bun run lint:fix and bunx tsc within a worktree created from the Pull Request's head branch. Because these commands are defined and controlled by the PR author through configuration files like package.json or tsconfig.json, an attacker can submit a malicious PR that executes arbitrary code with the agent's privileges during the fix/rebase phase.
[INDIRECT_PROMPT_INJECTION]: The automation logic determines its next state by parsing PR comments that start with a specific bot signature (). Since the skill fetches these comments without verifying the author, a malicious contributor can post a crafted comment to trick the bot into merging a PR or moving it through the state machine incorrectly.
Ingestion points: PR comments retrieved via gh pr view <PR_NUMBER> --json comments in SKILL.md.
Boundary markers: The skill looks for  and  tags but lacks identity verification for the commenter.
Capability inventory: Powerful capabilities including gh pr merge, gh pr edit, gh run approve, and git push --force-with-lease are present across the automation flow.
Sanitization: No sanitization or author validation is performed on the comment body before parsing the state results.
[PRIVILEGE_ESCALATION]: The skill uses gh run approve to manually trigger GitHub Actions workflows for PRs (including those from forks) where CI has not started. This action grants untrusted code the ability to run within the repository's CI environment, which could lead to resource abuse or secret exposure if the repository is not strictly configured.
[DATA_EXPOSURE_AND_EXFILTRATION]: Combined with the Remote Code Execution vulnerability, the skill's access to GitHub credentials and local repository data via the gh and git CLIs provides a clear path for an attacker to exfiltrate environment variables, API tokens, and sensitive source code.

pr-automation