The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill processes untrusted external data from GitHub, which could potentially contain malicious instructions aimed at influencing the AI's review and verdict.
Ingestion points: The skill fetches PR metadata, descriptions, comments, review threads, and changelog content via the GitHub MCP server as part of its research phase (documented in agents/research-advisor.md).
Boundary markers: While the skill uses structured markdown templates (assets/research-template.md and assets/verdict-template.md) to separate data categories, it does not explicitly employ specific 'ignore embedded instructions' delimiters for the fetched third-party text.
Capability inventory: The skill possesses capabilities to modify repository state, including the ability to rebase, approve, and merge PRs (facilitated by agents/source-control-advisor.md).
Sanitization: The instructions do not specify explicit sanitization or filtering of the fetched text before processing.
Mitigation: The risk is significantly mitigated by the core design principle requiring explicit maintainer confirmation before any mutation or merge action occurs, ensuring a human reviews the AI's recommendation before it is executed.

fusion-dependency-review