The Agent Skills Directory

[COMMAND_EXECUTION]: The skill interpolates the placeholders {source_branch} and {merge_request_iid} directly into shell commands for git fetch and git worktree in Step 2 and Step 8. These values are sourced from external GitLab Merge Request metadata and are not sanitized, allowing an attacker to execute arbitrary commands on the runner by crafting malicious branch names or identifiers containing shell metacharacters.
[EXTERNAL_DOWNLOADS]: Step 0 of the workflow directs users to download and install a GitLab MCP server from a third-party GitHub repository (github.com/zereight/gitlab-mcp) which is not affiliated with a trusted organization or the skill's author.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted content from Merge Request descriptions, discussions, and source code. The workflow lacks boundary markers to isolate external data from instructions and explicitly directs a subagent to read potentially malicious configuration files like .github/copilot-instructions.md from the untrusted branch, which could lead to subversion of the agent's behavior during the review process.

gitlab-mr-review