The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill requires the installation of an external skill pack via npx github:lploc94/codex_skill as documented in SKILL.md. This downloads and executes code from a non-trusted personal GitHub repository.
[REMOTE_CODE_EXECUTION]: The workflow involves running a local Node.js script (referenced via {{RUNNER_PATH}}) that interacts with the external codex CLI and the downloaded skill pack. Specifically, node "$RUNNER" start and node "$RUNNER" poll are used to execute logic derived from external inputs.
[COMMAND_EXECUTION]: The skill executes multiple shell commands including git diff, git log, git add, and git commit to inspect and modify the local repository based on the AI's review findings.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through untrusted pull request data. An attacker can craft a PR title, description, or code comments that contain instructions to override the agent's behavior.
Ingestion points: Untrusted data enters the agent context via {PR_TITLE}, {PR_DESCRIPTION}, and the contents of the repository processed by git diff as seen in references/prompts.md and references/workflow.md.
Boundary markers: The prompt templates in references/prompts.md lack robust boundary markers or delimiters to separate instructions from the untrusted PR content, making it easier for an injection to succeed.
Capability inventory: The skill has high-impact capabilities, including the ability to edit local files and automatically commit those changes to the repository (references/workflow.md Step 4: "edit code and record fix evidence... commit them").
Sanitization: There is no evidence of sanitization or validation performed on the PR metadata or file content before it is interpolated into the system prompt.

codex-pr-review