The Agent Skills Directory

[COMMAND_EXECUTION]: The skill dynamically detects and executes project-specific commands such as npm test, pytest, or cargo test on code checked out from Pull Requests (SKILL.md). This allows for arbitrary command execution if a PR author modifies these scripts to include malicious payloads.
[REMOTE_CODE_EXECUTION]: The workflow involves fetching untrusted code via gh pr checkout and running it locally during validation (SKILL.md), creating a pathway for remote code execution.
[EXTERNAL_DOWNLOADS]: Validation steps may trigger package managers to download external dependencies. A malicious PR could introduce malicious packages or point to compromised registries via npm install or similar package installation commands.
[PROMPT_INJECTION]: 1. Ingestion points: gh pr view and gh pr diff in SKILL.md. 2. Boundary markers: Delimiters are absent for instructions within PR diffs. 3. Capability inventory: Subprocess execution of git, gh, and arbitrary build/test tools in SKILL.md. 4. Sanitization: Sanitization or filtering of PR content is absent. This creates a surface for indirect prompt injection where hidden instructions could trick the agent into ignoring security flaws.
[DATA_EXFILTRATION]: Malicious code executed during the validation phase has the potential to access sensitive environment variables or local files and exfiltrate them via network requests.

git-pr-merge