The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an Indirect Prompt Injection attack surface. It fetches and processes external, untrusted data (MR titles, descriptions, diffs, and comments) from GitLab via the glab CLI. This content is then used to construct prompts for subagents (code-reviewer, security, and qa). An attacker could embed malicious instructions in an MR to influence the review results or subsequent actions.
Ingestion points: Data is ingested from glab mr view, glab mr diff, and glab mr note list commands as described in SKILL.md.
Boundary markers: The skill lacks explicit delimiters or instructions to the LLM to ignore embedded commands within the ingested MR data.
Capability inventory: The skill can execute shell commands (glab), read local convention files, and invoke other subagents.
Sanitization: There is no evidence of sanitization or filtering of the fetched MR content before it is interpolated into subagent queries.
[COMMAND_EXECUTION]: The skill uses the shell tool to execute various glab CLI commands. While the commands are parameterized with mr_id and repo_ref extracted from user-provided URLs, the reliance on the agent's parsing logic for these parameters is a standard part of its operation. The scope of execution is limited to the functionality provided by the glab tool.

gitlab-kiro