The Agent Skills Directory

[PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted data from external sources and has powerful capabilities. * Evidence Chain: 1. Ingestion points: Pull request titles, bodies, and file diffs via 'gh pr view' and 'gh pr diff'. 2. Boundary markers: None present in instructions to distinguish between agent instructions and PR content. 3. Capability inventory: Use of 'Bash()' to execute shell commands. 4. Sanitization: No sanitization or validation of PR content before processing or interpolation into commands.
[COMMAND_EXECUTION] (LOW): The skill intentionally executes shell commands like 'gh' and 'npm test'. While this is the primary purpose of the skill, executing 'npm' scripts on untrusted pull requests is a known vector for remote code execution if the PR contains malicious changes to package.json.

github-pr-manager