The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill provides instructions to output the current authentication token using gh auth token. This can lead to sensitive credentials being recorded in logs or exposed in the agent's conversation history.
[CREDENTIALS_UNSAFE]: The documentation suggests a remediation step for authentication issues that involves embedding the GITHUB_TOKEN directly into the repository's remote URL: git remote set-url origin https://${GITHUB_TOKEN}@github.com/username/repo.git. This practice is insecure as it stores the plain-text token in the local .git/config file, which is a common target for credential harvesting.
[PROMPT_INJECTION]: The skill is highly susceptible to Indirect Prompt Injection (Category 8) due to its interaction with untrusted external content.
Ingestion points: Untrusted data enters the context via gh pr view, gh issue view, gh issue list, and GraphQL queries fetching review threads.
Boundary markers: No technical boundary markers or specific "ignore" instructions for embedded data are provided in the prompt templates.
Capability inventory: The agent has access to the Bash tool, allowing it to execute arbitrary shell commands, modify source code via git, and alter repository states via gh.
Sanitization: There is no technical sanitization or validation of the ingested content; the skill relies on the LLM to "critically evaluate" comments, which can be bypassed by sophisticated adversarial prompts.
[COMMAND_EXECUTION]: The skill relies heavily on the Bash tool to execute gh and git commands. While these are used for the skill's intended purpose, the lack of input sanitization when processing branch names or PR titles (e.g., in the PR creation logic) could potentially lead to command injection if the agent processes malicious user-supplied strings.

github