The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted data to influence agent actions. Ingestion points: Untrusted data enters the context via PR bodies, existing PR comments, and code diffs in 'references/pr-review.md' and 'references/teams-review.md'. Boundary markers: The instructions lack explicit delimiters or warnings to ignore embedded instructions in the ingested content. Capability inventory: The agents can execute git and gh commands (including PR approval and merging) and run project-defined build and test scripts. Sanitization: No validation or sanitization is performed on the ingested external content before it is used to guide the review process.\n- [COMMAND_EXECUTION]: The skill executes local commands including git, gh, and repository-specific build/test scripts. Specifically, 'references/teams-review.md' automatically runs build and test commands to validate fixes, which could lead to arbitrary code execution if the repository configuration is malicious.\n- [COMMAND_EXECUTION]: In 'references/pr-review.md', the skill contains a shell script snippet for cleaning up temporary worktrees in '/tmp'. This logic derives branch names from directory paths using 'basename' and 'sed', which is vulnerable to command injection on shared systems if a malicious user creates a directory with a crafted name (e.g., using command substitution syntax) that is then executed by the agent.

cr