The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill exhibits a significant Indirect Prompt Injection surface by ingesting untrusted data from GitHub PR comments via the 'gh' CLI and using it to drive agent actions. * Ingestion points: PR review comments and issue comments are fetched and processed into a TODO list for the agent. * Boundary markers: Absent. The instructions do not specify any delimiters or warnings to ignore instructions embedded within comments. * Capability inventory: The agent is empowered to modify source code ('implement the fix'), execute shell commands ('Run tests'), and commit changes. * Sanitization: Absent. There is no logic to filter or sanitize malicious instructions provided within the PR comments.
COMMAND_EXECUTION (HIGH): The 'Run tests' step is a critical vulnerability. In many software environments, test runners execute arbitrary code defined in the repository. An attacker who can influence the code being tested via a PR comment or by submitting a malicious PR can achieve Remote Code Execution (RCE) on the system running the skill.
DATA_EXFILTRATION (MEDIUM): While not explicitly designed for exfiltration, the capability to run arbitrary tests and the requirement for a GitHub CLI environment (which contains authentication tokens) creates a risk where an attacker could use the test execution phase to exfiltrate the 'GH_TOKEN' or other secrets to an external server.

pr-review