The Agent Skills Directory

[COMMAND_EXECUTION]: The skill makes extensive use of the Bash tool to interact with the GitHub CLI (gh). It executes commands such as gh pr view, gh pr diff, and gh pr review to manage pull requests. Additionally, the skill includes instructions for running local tests via docker-compose and language-specific test runners like pytest and npm, which involve arbitrary command execution on the host system.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests untrusted data from external sources (pull request diffs and comments) and interpolates this content directly into the prompts of specialized sub-agents (e.g., security-auditor, code-quality-reviewer). Maliciously crafted code comments or documentation within a PR could attempt to influence the sub-agents' behavior or outcomes.
Ingestion points: gh pr view and gh pr diff in SKILL.md.
Boundary markers: The sub-agent prompts in rules/agent-prompts-task-tool.md use section headers but lack explicit markers or warnings to ignore instructions embedded within the code diffs.
Capability inventory: The agent has access to Bash, Write, Edit, and mcp__memory tools, providing a significant impact surface if an injection is successful.
Sanitization: No explicit sanitization or filtering of the PR content is performed before interpolation.

review-pr