The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses user-provided $ARGUMENTS (PR numbers or URLs) directly in shell commands such as gh pr view and gh pr diff. A malicious user could provide input containing shell metacharacters (e.g., 123; rm -rf /) to execute arbitrary commands on the system.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from external sources.
Ingestion points: The agent reads content from gh pr view (PR titles/descriptions), gh issue view (Issue descriptions), and local files in tmp/issues/ which are likely populated from external data.
Boundary markers: There are no explicit delimiters or instructions to ignore embedded commands within the fetched content.
Capability inventory: The skill has access to the Bash tool, allowing for full shell command execution.
Sanitization: No sanitization or validation of the fetched GitHub content is performed before processing.
[DATA_EXFILTRATION]: The skill accesses local files using a path constructed from user input (tmp/issues/<issue-number>/). This pattern is vulnerable to path traversal attacks if the issue number is not strictly validated, potentially allowing the agent to read sensitive files outside the intended directory.

code-review