The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the ingestion of external data.
Ingestion points: The skill reads git diff output and project-specific context files (like CLAUDE.md) which are interpolated directly into prompts for subagents.
Boundary markers: The skill uses XML-style tags such as <diff> and <project-context> to delimit untrusted data. While helpful for clarity, these are not robust against adversarial injection attempts.
Capability inventory: The system has significant capabilities including automated code modification ('Fix all issues' path), GitHub issue creation via gh issue create, and pull request merging via gh pr merge.
Sanitization: There is no evidence of sanitization, filtering, or instruction-aware escaping of the content from the diffs or project files before they are sent to the subagents.
[COMMAND_EXECUTION]: The skill performs several shell operations to interact with the environment and project state.
Executes git commands (git diff, git commit, git checkout, git pull) to manage the repository.
Uses the GitHub CLI (gh pr view, gh pr merge, gh issue create) for repository and pull request management.
Runs local scripts including node scripts/kata-lib.cjs and bash scripts/manage-worktree.sh to handle configuration and environment setup.

kata-review-pull-requests