The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by processing untrusted data from GitHub PRs.\n- Ingestion points: The workflow reads PR descriptions, commit history, and code diffs using gh pr view and gh pr diff in the 'Context' and 'Hindsight Review' steps.\n- Boundary markers: There are no explicit markers or instructions to the agent to treat the PR content as untrusted or to ignore instructions embedded within the PR body or diff.\n- Capability inventory: The skill possesses significant capabilities, including writing to GitHub (gh pr edit, gh issue create), executing arbitrary project tests via pnpm test, and potentially modifying the codebase via the /refactor skill.\n- Sanitization: PR content is passed directly to agents (like hindsight-reviewer) and used in documentation updates without sanitization.\n- [COMMAND_EXECUTION]: The skill executes multiple shell commands (gh, pnpm, glance) that rely on the $PR argument. If the execution environment does not properly sanitize this variable, it could lead to command injection. Furthermore, the execution of pnpm test runs code from the repository being polished, which is an inherent risk in automated tasks that execute unvetted code.

pr-polish