The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It ingests untrusted data from GitHub Pull Requests (PR body and diffs) using the gh pr view and gh pr diff commands in SKILL.md. This external content is placed directly into the agent's context without using boundary markers (like XML tags or clear delimiters) or instructions to ignore embedded commands. A malicious contributor could craft a PR containing instructions designed to hijack the agent's behavior or misrepresent the review results.
[COMMAND_EXECUTION]: The skill uses the GitHub CLI (gh) through shell commands to retrieve PR information. These operations are limited to the gh tool as defined in the allowed-tools metadata and are consistent with the skill's primary purpose of reviewing code. While legitimate, this creates a dependency on an authenticated session and the local environment's CLI configuration.

code-review