The Agent Skills Directory

[COMMAND_EXECUTION]: The documentation in SKILL.md and references/workflow.md describes a workflow that involves interpolating the raw user prompt into shell commands, such as python3 "$SCRIPTS_DIR/utils/extract_github_context.py" --text "[prompt]". This pattern is risky as it could allow an attacker to execute arbitrary shell commands if the agent platform performs literal string substitution without sufficient escaping of shell-sensitive characters.
[PROMPT_INJECTION]: The skill processes untrusted external data, creating an indirect prompt injection surface. 1. Ingestion points: The skill retrieves PR review comments and issue comments via get_pr_review_comments.py as indicated in SKILL.md and references/workflow.md. 2. Boundary markers: There are no specific instructions or delimiters mentioned to isolate the retrieved comment content or to instruct the agent to ignore embedded commands before passing them to the orchestrator agent in Phase 3. 3. Capability inventory: The skill possesses the ability to perform repository actions, including posting replies via post_pr_comment_reply.py, resolving threads via resolve_pr_review_thread.py, and merging PRs as referenced in references/bots.md. 4. Sanitization: The workflow lacks documentation or implementation of input sanitization or validation for the comment text before it is analyzed and acted upon by the agent.

pr-comment-responder