The Agent Skills Directory

[PROMPT_INJECTION]: The skill ingests and analyzes untrusted code from Pull Request diffs (Phase 1, Step 2) and performs LLM-based analysis on that content (Step 4). This creates a surface for indirect prompt injection, where an attacker could embed malicious instructions in code comments or documentation to manipulate the review outcome or agent behavior.
Ingestion points: Fetches PR diffs and file patches from GitHub, GitLab, or local repositories in Step 2.
Boundary markers: There are no explicit instructions or delimiters mentioned to isolate the untrusted diff content from the agent's instructions during analysis.
Capability inventory: The skill utilizes Bash (CLI execution), Write (outputting reports to the filesystem), and Edit (modifying internal configuration files).
Sanitization: No sanitization or filtering of the diff content is mentioned before the content is processed by the LLM.
[COMMAND_EXECUTION]: The skill employs the Bash tool to execute gh, glab, and git commands. These commands are dynamically constructed using parameters (such as repository owner, name, and PR number) parsed from user-provided arguments in Step 0. While these are used to interact with well-known and trusted services, the dynamic construction of shell commands relies on the security of the parsing logic.
[SAFE]: The skill references standard WordPress security, performance, and coding checklists located within its own local references/ directory. It also communicates exclusively with well-known and trusted services like GitHub and GitLab using their official command-line interfaces.

wp-pr-review