The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill instructs the agent to read PR descriptions and comments to 'understand the goal and history' (SKILL.md). This content is provided by external contributors and lacks sanitization or boundary markers. An attacker can embed instructions in these fields to override the agent's review logic or trick it into performing unauthorized actions.
[Remote Code Execution] (HIGH): The 'Preparation' workflow for remote PRs involves checking out the PR and immediately executing npm run preflight. Because preflight scripts are defined in the project's package.json, an attacker can submit a PR with a modified package.json containing malicious commands. These commands will execute with the user's privileges when the agent attempts to run the preflight check.
[Command Execution] (MEDIUM): The skill makes extensive use of shell commands (gh, git, npm). While these are necessary for the skill's function, executing them on untrusted branches checked out from remote sources without a sandbox environment creates a high-risk surface for privilege escalation or system compromise.

code-reviewer