The Agent Skills Directory

[Remote Code Execution] (HIGH): The skill's workflow (Step 4) explicitly instructs the agent to 'infer a reasonable default' test command or use a user-provided one after checking out an untrusted PR branch. This creates a direct path for executing arbitrary code if a malicious PR includes scripts (e.g., a poisoned package.json or Makefile) that the agent executes under the guise of running tests.
[Indirect Prompt Injection] (HIGH): The skill is designed to ingest and act upon untrusted external data without sufficient safeguards.
Ingestion points: SKILL.md collects data via gh pr view (title, body) and gh pr diff. This content is controlled by the PR author.
Boundary markers: Absent. There are no delimiters or instructions to the agent to treat PR content as data rather than instructions.
Capability inventory: The skill has shell execution capabilities via gh, git, and the dynamic test execution step.
Sanitization: None. The agent processes raw PR metadata and code changes, which can be used to hijack the agent's reasoning or command generation.
[Command Execution] (MEDIUM): The skill relies on several shell-based tools (gh, git). While the skill includes some 'Safety Rules' (e.g., avoiding git reset --hard), these are internal instructions that do not prevent an adversary from manipulating the agent into executing other dangerous commands through prompt injection.

pr-review