The Agent Skills Directory

REMOTE_CODE_EXECUTION (CRITICAL): The skill instructions (SKILL.md) prompt the agent to checkout code from a PR branch using gh pr checkout and subsequently run pnpm test, pnpm lint, and pnpm dev. This allows an attacker to execute arbitrary code within the agent's environment by modifying the project's scripts or dependencies in the PR branch.
PROMPT_INJECTION (HIGH): This skill is a primary target for Indirect Prompt Injection (Category 8). Evidence Chain: 1. Ingestion points: The skill reads untrusted PR titles, descriptions, and code diffs using gh pr view and gh pr diff. 2. Boundary markers: No markers are present to distinguish instructions from data. 3. Capability inventory: The skill can execute shell commands (pnpm), write files to /tmp/, and perform high-privilege GitHub actions (gh pr review --approve, gh pr merge, gh api). 4. Sanitization: There is no instruction to sanitize or validate the PR content before processing or generating review comments.
COMMAND_EXECUTION (HIGH): The skill makes extensive use of the GitHub CLI (gh) and shell redirection (e.g., cat > /tmp/review-data.json). If data from the untrusted PR is interpolated into these commands or the review JSON without rigorous escaping, it creates a significant risk of command injection.
DATA_EXFILTRATION (MEDIUM): The ability to execute arbitrary code via pnpm on an untrusted branch allows a malicious PR to read sensitive files in the agent's environment (such as .env files or credentials) and exfiltrate them via network requests.

pr-review