The Agent Skills Directory

[COMMAND_EXECUTION]: User-provided inputs such as branch names and PR numbers are directly interpolated into shell commands for the gh CLI and git (e.g., gh pr list --head "<branch>"). Without explicit sanitization, this pattern allows for command injection if a user provides a branch name containing shell metacharacters.
[COMMAND_EXECUTION]: The skill uses user-controlled branch names to generate file paths for summary reports (e.g., reviews/<branch-name>-review.md). The absence of sanitization for path delimiters makes the skill vulnerable to path traversal, potentially allowing files to be written to unintended directories.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted external content. 1. Ingestion points: PR title and body metadata (SKILL.md Step 2) and the full code diff (SKILL.md Step 3). 2. Boundary markers: None; the skill instructs the agent to read the full diff and description without delimiters. 3. Capability inventory: The skill has the ability to execute shell commands (gh/git) and write files to the local system (Step 5). 4. Sanitization: None; external content is analyzed directly to generate summaries, which could trigger unintended agent behavior if the PR contains malicious instructions.

review-github-pr