The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill processes untrusted external data from PR descriptions and commit messages (as seen in Step 2.2 of SKILL.md). Because the agent also possesses the run_terminal_cmd tool and is explicitly instructed to "run relevant checks" (Step 3.4) and "run tests/linters" (Step 4), a malicious contributor could include instructions in the PR description or code comments that override the agent's behavior.
Ingestion points: PR/commit descriptions and file content via read_file (SKILL.md).
Boundary markers: None identified. No instructions are provided to the agent to ignore or delimit embedded instructions in the processed code or metadata.
Capability inventory: run_terminal_cmd, read_file (SKILL.md frontmatter).
Sanitization: None identified. The skill lacks validation or filtering of external content before processing.
Command Execution (HIGH): The skill uses run_terminal_cmd to execute common development tasks like tests and linters (Step 4, SKILL.md). In an adversarial context, if the repository being reviewed is malicious, commands like npm test or pytest can be hijacked (e.g., via a malicious package.json or conftest.py) to execute arbitrary code on the system running the agent.

code-review