The Agent Skills Directory

[COMMAND_EXECUTION]: The skill relies on executing local shell scripts (scripts/pr-prepare, scripts/committer) and system tools like jq to perform its tasks. These scripts use input parameters like the PR number or URL which could be a vector for command injection if the input is not properly sanitized by the underlying scripts or the agent context.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted data from external files. 1. Ingestion points: Data is ingested from .local/review.json, specifically within the findings, changelog, and docs fields. 2. Boundary markers: The instructions lack explicit delimiters or warnings to ignore potential instructions embedded within the JSON data. 3. Capability inventory: The skill has significant capabilities, including file system writes (modifying CHANGELOG.md and documentation) and executing subprocesses for Git commits and pushes. 4. Sanitization: There is no evidence of sanitization or validation performed on the strings extracted from the JSON file before they are interpolated into the agent's workflow.

prepare-pr