The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests content from external, potentially untrusted sources including pull request descriptions (via gh pr view), git commit messages, and specification files. This content is used to determine the 'intent' and 'Suggested Review Order' of a code change. An attacker could craft these inputs to include malicious instructions designed to mislead the agent or influence its review conclusions. Ingestion points: Pull request data, commit logs, and markdown specification files are read in step-01-orientation.md. The full contents of modified files are read in generate-trail.md. Boundary markers: The skill does not employ robust boundary markers or delimiters to isolate untrusted data from its core instructions. Capability inventory: The skill can execute shell commands via git and gh, including the ability to approve pull requests (gh pr review --approve) in step-05-wrapup.md, and it has read access to the local codebase. Sanitization: No explicit sanitization or filtering of external data is performed before processing.
[COMMAND_EXECUTION]: The skill executes shell commands using git (to retrieve diffs and metadata) and gh (to interact with GitHub pull requests). While these tools are used for the skill's primary purpose, they represent a capability that processes data derived from the repository environment.

bmad-checkpoint-preview