The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads untrusted data from GitHub pull request titles, descriptions, and code diffs. An attacker could include malicious instructions in a PR designed to deceive the agent into approving the change or performing other unauthorized actions. Ingestion points: The gh pr view and gh pr diff commands used in Steps 1 and 2. Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands. Capability inventory: The skill can execute bash commands and perform write operations on GitHub via gh pr review and the GitHub API. Sanitization: Absent; content from the diff is processed directly as text for analysis.
[COMMAND_EXECUTION]: Several bash commands in the procedure use unquoted placeholders such as <number>, {owner}, and {repo}. If these variables are populated by the agent with unsanitized user-provided strings, it could allow for command injection on the host system where the CLI is running.

review-pull-request