The Agent Skills Directory

[COMMAND_EXECUTION]: The instruction file scripts/review-pr.md directs the agent to execute shell commands using user-supplied input (e.g., gh pr view $ARGUMENTS). The instructions do not specify sanitization or quoting for the $ARGUMENTS variable, which could allow a malicious user to perform command injection by providing arguments containing shell metacharacters (e.g., 123; malicious_command).
[PROMPT_INJECTION]: The skill creates an indirect prompt injection surface in scripts/review-pr.md by retrieving and processing untrusted data from external pull requests.
Ingestion points: Untrusted content is fetched from GitHub pull request titles, descriptions, diffs, and comments using gh pr view and gh pr diff commands.
Boundary markers: Absent. The skill does not provide delimiters or instructions to the agent to treat the fetched PR content as potentially hostile or untrusted data.
Capability inventory: The agent has access to powerful tools including Bash, Read, Grep, WebFetch, and WebSearch, which could be exploited if the agent follows malicious instructions embedded in a pull request.
Sanitization: No validation or sanitization is performed on the external data before it is presented to the agent's context.
[COMMAND_EXECUTION]: The skill utilizes dynamic context injection (the !command`` syntax) within scripts/review-pr.md to execute shell commands such as git branch --show-current and gh pr list at the moment the skill is loaded. While these specific commands are used for context gathering in a developer environment, they represent automated execution of shell logic upon accessing the skill.

code-review-playbook