The Agent Skills Directory

Indirect Prompt Injection (MEDIUM): The skill processes untrusted external content (CodeRabbit reviews and comments) via the GitHub API. This data is used to decide which code files to read and how to formulate a prioritized fix plan. Ingestion points: Fetches PR comments and review bodies using gh api and GraphQL. Boundary markers: No explicit delimiters are used when interpolating comment bodies into the analysis prompt. Capability inventory: Authenticated network access (GitHub API) and local file read access. Sanitization: Relies on a filter for the coderabbitai author login, which does not prevent malicious instructions within the comments themselves.
Data Exposure (LOW): The workflow involves reading local files at paths specified in the external CodeRabbit comments. Evidence: The skill instructions state to "Read the actual code at the referenced file and line number" provided by the bot feedback. Risk: An attacker could craft a comment to point the agent at sensitive local files (e.g., .env, id_rsa) which might then be exposed in the summary report.
Command Execution (LOW): Several steps execute gh CLI commands using a PR number parsed from user-provided $ARGUMENTS. Evidence: gh pr view {pr_number} ... and gh api repos/{owner}/{repo}/pulls/{pr_number}/.... Risk: If the agent fails to strictly validate the PR number as an integer, a malicious user could provide input designed to perform command injection.

coderabbit