The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted data from GitHub pull requests (titles, bodies, and code diffs). It lacks any boundary markers or sanitization logic to prevent the AI from obeying instructions embedded within these external inputs.
Ingestion points: gh pr view and gh pr diff commands capture external PR content into variables like PR_DATA and PR_DIFF.
Boundary markers: Absent; untrusted data is passed directly to agents.
Capability inventory: The skill can approve PRs (gh pr review --approve), request changes, and post arbitrary comments via gh api and gh pr comment.
Sanitization: None; the AI processes the raw diff and description text.
Remote Code Execution / External Downloads (HIGH): Multiple usage examples (e.g., Examples 1, 2, and 4) rely on npx ruv-swarm. This command downloads and executes a package from the NPM registry at runtime. The package ruv-swarm is not from a trusted source, and there is no version pinning or integrity verification (SRI), allowing for potential supply chain attacks.
Command Execution (MEDIUM): The skill heavily utilizes shell command interpolation (e.g., $(gh pr view ...)). If pull request data contains malicious characters and is not properly escaped by the shell environment, it could lead to command injection, especially when piping output to tools like jq or grep.

github-code-review