The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill automates the checkout and execution of code from untrusted pull requests. Specifically, it executes npm run build and npx tsx on code provided by external contributors. A malicious actor could submit a pull request with compromised scripts (e.g., in package.json or test files) that would execute arbitrary commands on the host environment when the smoke test workflow is triggered.
[COMMAND_EXECUTION]: The skill uses the gh CLI and npm to perform operations on local and remote code. It executes checkout, build, and test commands which are sensitive when performed on untrusted repositories.
[INDIRECT_PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted code changes from pull requests.
Ingestion points: Data enters the agent's context through gh pr diff and gh pr checkout as described in SKILL.md.
Boundary markers: No explicit delimiters or safety instructions are used to distinguish untrusted pull request data from the agent's core instructions.
Capability inventory: The skill possesses the ability to execute shell commands (npm, gh, npx) and interact with a web browser via Playwright to upload files.
Sanitization: There is no evidence of sanitization or validation of the pull request content before it is executed or analyzed.

pr-review