The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill possesses a high-risk attack surface by ingesting untrusted external data (Pull Request descriptions, commits, and code diffs).
Ingestion points: Data enters the agent context through WebFetch, Read, and gh pr diff commands (SKILL.md).
Boundary markers: Absent; the skill provides no delimiters or instructions to help the agent distinguish between PR content and its own operational instructions.
Capability inventory: The agent has access to Bash, Task, and WebFetch, allowing for file modification, network communication, and system-level execution.
Sanitization: Absent; there is no validation or filtering of the content being read from the PRs.
Remote Code Execution (HIGH): The workflow section (SKILL.md) explicitly instructs the agent to "Run checks
Build, lint, test if applicable." Because the agent is granted Bash and Task tools, it is likely to execute build scripts (e.g., npm install, make, pytest) provided within the untrusted pull request. An attacker could include malicious commands in these scripts to gain control over the agent's host environment.
Command Execution (HIGH): The skill provides the agent with powerful shell-access tools (Bash, Task) and a mandate to execute commands based on the structure of the repository it is reviewing, which lacks the necessary sandboxing for handling untrusted third-party code.

pr-review