The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it processes untrusted data from GitHub Pull Requests.
Ingestion points: The agent reads the PR title, body, discussion comments, and the full code diff (via gh pr view and git diff) in Steps 4 and 6.
Capability inventory: The skill can execute shell commands (bash), read local files, and write comments back to GitHub (gh pr comment or gh api). In automation mode, it can influence downstream CI/CD logic via machine-readable output.
Boundary markers: There are no explicit delimiters or instructions provided to the agent to distinguish between its own logic and the untrusted PR content being reviewed.
Sanitization: No sanitization or filtering is performed on the PR metadata or code before it is passed to the AI for analysis.
[EXTERNAL_DOWNLOADS]: The skill uses bunx oxlint in Step 5 to perform code analysis. While oxlint is a well-known tool, bunx downloads the package from the npm registry at runtime if it is not present.
[COMMAND_EXECUTION]: The skill constructs and executes several shell commands using user-supplied $ARGUMENTS and data retrieved from the gh CLI, such as PR_NUMBER and baseRefName. While typical for this workflow, it represents a standard attack surface for command injection if the environment does not properly sanitize these variables.

pr-review