The Agent Skills Directory

[COMMAND_EXECUTION]: Shell scripts in Step 2, 4, and 5 interpolate variables $ORG and $REPO directly into gh api command strings. This pattern is susceptible to command injection if the organization or repository names provided by the user contain shell metacharacters (e.g., ;, `).
[COMMAND_EXECUTION]: The script in Step 5 uses a predictable file path in the shared /tmp directory (/tmp/coderabbit-metrics-$ORG-$REPO.json). This is a common security weakness (CWE-377) that can be exploited in multi-user environments for symlink attacks or data tampering.
[PROMPT_INJECTION]: The skill facilitates indirect prompt injection by retrieving and processing data from external GitHub resources such as Pull Requests and Reviews.
Ingestion points: gh api calls in SKILL.md (Step 2, 4, and 5) that fetch pull request metadata and review comments.
Boundary markers: No delimiters or instructions to ignore embedded commands are used when presenting the fetched data to the agent context.
Capability inventory: The skill is granted Bash, Write, Edit, and Read permissions, creating a significant impact surface if the agent is manipulated.
Sanitization: While jq is used for structural parsing of the JSON responses, the string content within the extracted fields is not sanitized or validated for malicious instructions.

coderabbit-rate-limits