The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides a Bash workflow template for creating pull requests that is vulnerable to shell injection.
Evidence: The workflow in SKILL.md uses gh pr create --title "..." --body "$CONVERTED_BODY". If the PR body content (captured from the user or previous scripts) contains shell metacharacters such as backticks (`), subshells ($()), or unescaped double quotes, it can lead to arbitrary command execution when the agent runs the generated Bash script.
[CREDENTIALS_UNSAFE]: The documentation includes examples that reference sensitive configuration files.
Evidence: Example 3 in SKILL.md explicitly demonstrates how to convert a link to .env.clickhouse. Referencing environment files in PR descriptions or repositories is a high-risk practice that can lead to the exposure of secrets, especially when converted to absolute URLs on public or shared branches.
[EXTERNAL_DOWNLOADS]: The skill utilizes the GitHub CLI and Git to interact with remote repositories.
Evidence: The preflight and integration scripts execute gh repo view and git rev-parse to fetch metadata from GitHub, which is a well-known service.
[PROMPT_INJECTION]: The skill processes untrusted data (PR descriptions) which could contain indirect prompt injections.
Ingestion points: The PR body content is processed by regex patterns in Step 2 and Step 4.
Boundary markers: No explicit delimiters or instructions are used to prevent the agent from obeying instructions embedded within the PR body being processed.
Capability inventory: The skill uses Bash subprocess calls and the gh CLI tool.
Sanitization: No sanitization or escaping logic is provided for the PR body content before it is interpolated into shell commands.

pr-gfm-validator