The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool to execute shell pipelines including curl, tar, and grep. These commands interpolate variables like package names and versions directly into shell strings, which could lead to command injection if the inputs (e.g., from PR metadata) are not strictly validated.
[EXTERNAL_DOWNLOADS]: The skill dynamically downloads package tarballs from the npm registry using curl -sL $(npm view ...). While npm is a well-known and trusted service, the process of automatically fetching and extracting arbitrary external code for analysis constitutes a significant attack surface.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its ingestion of external package data.
Ingestion points: The agent reads metadata from npm view and source code extracted from third-party archives in the old and new directories.
Boundary markers: No explicit delimiters or instructions are provided to help the agent distinguish between its own logic and instructions that might be embedded in the code or comments of the packages being analyzed.
Capability inventory: The agent has access to Bash for command execution and gh pr comment for external data transmission.
Sanitization: Content extracted from third-party packages is included in compatibility reports and PR comments without specified sanitization or escaping mechanisms.

1k-pkg-upgrade-review