The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection because it ingests untrusted data from GitLab MR comments and uses it to drive code modifications and test execution.
Ingestion points: The fetch_comments.py script retrieves MR discussion notes via the GitLab API, which are then processed by the agent.
Boundary markers: There are no delimiters or specific instructions to help the agent distinguish between legitimate feedback and malicious commands embedded within comments.
Capability inventory: The agent is explicitly instructed in SKILL.md to 'Implement fixes' and 'Run the most relevant tests' based on the ingested comments, providing a significant impact surface.
Sanitization: No sanitization or validation of the comment content is performed before it is presented to the LLM.
Command Execution (SAFE): The skill executes glab and git commands. It correctly uses structured command lists with subprocess.run in the Python script and properly quotes variables in the markdown bash blocks, effectively preventing shell injection attacks.
External Dependencies (LOW): The skill requires the glab CLI tool and network access to a GitLab instance. While these are legitimate requirements for the skill's purpose, they represent an external dependency that manages sensitive credentials like GITLAB_TOKEN.

gitlab-address-comments