The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted text from external sources to define its logic and report results. An attacker could craft a GitHub issue or PR description that contains instructions to override the agent's analysis or force a false coverage report.
Ingestion points: Pull request body content (via gh pr view), GitHub issue descriptions (via gh issue view), and code diffs (via gh pr diff or git diff).
Boundary markers: Absent. The skill does not instruct the agent to use delimiters or ignore instructions embedded within the fetched data.
Capability inventory: Network access to the GitHub API and local shell command execution via the gh, git, and jq utilities.
Sanitization: The skill uses regex and jq to isolate numeric identifiers, but the descriptive text content used for requirement extraction and coverage analysis is not sanitized.
[COMMAND_EXECUTION]: The skill executes shell commands using variables like $PR_NUMBER, $ISSUE_NUMBER, and $REPO_NAME derived from user input or remote metadata. Although the provided procedures include patterns for numeric extraction, any failure to strictly validate these variables before shell interpolation could lead to local command injection.

ah-verify-requirements-coverage