The Agent Skills Directory

[PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface. * Ingestion points: The agent ingests untrusted data from GitHub pull request descriptions and diffs via the gh pr diff command (SKILL.md). * Boundary markers: Absent; there are no instructions or delimiters to isolate the untrusted content from the agent's instructions. * Capability inventory: The skill can execute various shell scripts (scripts/pr), perform git operations, and interact with the GitHub API via gh. * Sanitization: None specified in the instructions; the agent is instructed to read the raw diff and description.
[COMMAND_EXECUTION] (LOW): Use of source .local/review-context.env (SKILL.md) executes the contents of a file as shell code. If the scripts generating this file (e.g., scripts/pr-review) do not properly sanitize data sourced from the pull request, this could lead to arbitrary code execution.
[COMMAND_EXECUTION] (LOW): User-controlled input (<PR>) is interpolated directly into several shell commands (e.g., scripts/pr-review <PR>). If the agent does not strictly validate that the input is a numeric ID or valid URL, it could be exploited for command injection.

review-pr