The Agent Skills Directory

[PROMPT_INJECTION]: The skill is designed to ingest and act upon data from external sources, specifically GitHub PR comments and review bodies. This creates a surface for Indirect Prompt Injection.
Ingestion points: Comments are fetched from the GitHub API using gh api calls in scripts/gh_pr_ops.ts (functions fetchUnified, runGh).
Boundary markers: The skill filters comments based on reactions and bot prefixes in isNewItem, but lacks explicit delimiters or instructions to the LLM to ignore potentially malicious commands embedded within the text of those comments.
Capability inventory: The agent has the capability to modify source code, run arbitrary build/test commands (SKILL.md step 4.3), and push changes to a remote repository.
Sanitization: There is no evidence of sanitization or escaping of the comment body text before it is processed by the agent.
[COMMAND_EXECUTION]: The helper script scripts/gh_pr_ops.ts executes the gh CLI tool using execFileSync. While it uses structured arguments which mitigates shell injection, the skill's workflow encourages the agent to run project-specific verification commands (tests, linting, building) that are not predefined and could be influenced by malicious instructions in a PR comment.

gh-pr