The Agent Skills Directory

[PROMPT_INJECTION]: The skill processes potentially untrusted data from external sources, specifically GitHub PR comments and user-pasted feedback, which introduces a surface for indirect prompt injection.
Ingestion points: Untrusted content enters the context through gh pr view --comments and user-provided feedback strings as described in feedback-workflow.md.
Boundary markers: While no technical delimiters are specified for the untrusted text, the skill provides an "Iron Law" against "Blind Implementation," requiring the agent to verify and evaluate feedback before acting.
Capability inventory: The skill can execute shell commands via gh, read any file in the repository, and post data back to GitHub.
Sanitization: Employs logical sanitization via explicit instructions that mandate technical verification and prohibit performance-based obedience to reviewer suggestions.
[COMMAND_EXECUTION]: The skill uses the gh CLI to interact with GitHub for fetching diffs and posting comments.
Employs security best practices in github-pr-workflow.md by using single-quoted heredoc delimiters ('REVIEW_EOF') when posting review comments, which prevents shell expansion or execution of any malicious patterns contained within the generated review body.
[DATA_EXFILTRATION]: Network operations are performed via the gh CLI to communicate with GitHub API endpoints.
These operations are strictly limited to the tool's core functionality (reading PR data and posting reviews) and target whitelisted GitHub domains.

review