The Agent Skills Directory

[PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it processes untrusted data (git diffs) through various review sub-prompts. A malicious actor could potentially include instructions within a code change that attempt to influence the agent's review output.
Ingestion points: The output of git diff is ingested in Phase 2 for analysis by correctness, style, security, and test coverage subagents.
Boundary markers: No explicit delimiters or boundary markers (such as XML tags or specific 'ignore instructions' warnings) are defined for the diff content before it is passed to the sub-prompts.
Capability inventory: The skill can execute shell commands (git, gh), write to the filesystem (Phase 5 changelog updates), and perform network operations via the GitHub CLI (gh pr create, gh pr edit).
Sanitization: There is no evidence of sanitization or filtering of the git diff content before it is interpreted by the agent.
[COMMAND_EXECUTION]: The skill executes multiple local shell commands to manage the PR workflow. This includes repository inspection (git status, git log, git merge-base, git diff), GitHub API interaction (gh pr list, gh pr create, gh pr edit), and repository modification (git commit). These operations are consistent with the skill's stated purpose and use the unsandboxed: true configuration.

pr