The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it explicitly instructs the agent to "follow any instructions given in the PR description or comments" (Step 6). An attacker could place malicious instructions in a pull request that the agent might interpret as authoritative.
Ingestion points: The skill fetches untrusted content using gh pr view $ARGUMENTS --comments in SKILL.md Step 1.
Boundary markers: None. The skill does not use delimiters or instructions to distinguish between system tasks and untrusted PR content.
Capability inventory: The agent can execute shell commands (composer, php artisan, gh), modify files in the local directory, and perform network operations via the gh and composer tools.
Sanitization: None. There is no logic to filter or validate instructions received from the PR metadata.
[COMMAND_EXECUTION]: The skill executes several commands that run code defined within the repository, which could be malicious in a compromised or attacker-controlled pull request.
Evidence: composer update can execute arbitrary PHP scripts defined in the scripts section of composer.json.
Evidence: php artisan test executes the application's test suite, allowing for arbitrary code execution in the context of the testing environment.
Evidence: The skill dynamically searches for and executes code fixers (Duster, Pint, or PHP CS Fixer) based on the contents of the project's composer.json.

shift