The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses execute_bash to run glab CLI commands using parameters extracted from user-supplied GitLab URLs. The instruction to "strip https:// and everything from /-/ onward" to extract the repository reference is insufficient to prevent command injection. A crafted URL containing shell metacharacters (e.g., ;, &&, or backticks) in the path segments could lead to arbitrary command execution when interpolated into the command string: glab mr <cmd> <mr_id> --repo <repo_ref>.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted content from external GitLab repositories.
Ingestion points: The skill reads merge request diffs (glab mr diff), user comments and discussion threads (glab mr note list), and CI/CD pipeline logs (glab ci trace).
Boundary markers: The instructions do not define clear delimiters or isolate the untrusted external data from the system instructions. The content is directly passed to subagents (code-reviewer, security, qa) as part of their prompts.
Capability inventory: The skill possesses extensive capabilities including reading local files (fs_read), executing shell commands (execute_bash), and spawning subagents (InvokeSubagents).
Sanitization: No sanitization, escaping, or validation is performed on the data fetched from GitLab before it is utilized in the review and fix workflows.
[PROMPT_INJECTION]: The skill enables multi-step injection chains. In the "MR Fix," "MR CI Fix," and "MR Feedback" workflows, the agent generates instructions and code contexts based on potentially poisoned MR data and prompts the user to manually copy-paste this context into another skill (/neo-team-kiro). This allows a successful indirect injection to persist and influence actions in a separate execution environment.

gitlab-kiro