The Agent Skills Directory

[PROMPT_INJECTION]: The skill explicitly instructs the AI agent to bypass standard safety constraints and user confirmation protocols. Sections titled "Autonomous Execution" in SKILL.md and WORKFLOW.md command the agent to "Do NOT ask for user confirmation at any step," "Do NOT pause between tasks," and "Proceed directly through all workflow tasks." This is a significant safety override intended to gain full autonomy over the execution environment.
[COMMAND_EXECUTION]: The workflow automates high-impact write operations to the repository using gh pr edit and gt modify. The skill is instructed to "ALWAYS update the PR title and description" and to auto-fix code findings without user review or manual approval. This enables the autonomous modification of repository metadata and source code based on AI-generated content, which could be exploited to inject malicious code or misleading descriptions.
[DATA_EXFILTRATION]: The skill reads the full content of all changed source files and the PR diff to perform its analysis. This involves substantial data ingestion of potentially sensitive proprietary code, which is then passed to multiple specialized sub-agents.
[PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection as it processes untrusted PR diffs and file contents which directly influence its autonomous write operations.
Ingestion points: WORKFLOW.md Task 3 (Reads changed files and PR diffs).
Boundary markers: Absent; no specific delimiters or "ignore embedded instructions" warnings are provided to the sub-agents performing the analysis.
Capability inventory: The skill possesses multiple write capabilities including gh pr edit, gh pr comment, gt modify, and pnpm lint:fix.
Sanitization: Absent; the workflow does not specify sanitization or escaping for the AI-generated content before it is interpolated into shell commands for GitHub or Git operations.

pr-review