The Agent Skills Directory

[PROMPT_INJECTION]: The skill processes untrusted content from GitHub pull requests (descriptions, comments, and file changes), which presents an indirect prompt injection surface.
Ingestion points: Pull request metadata (via gh pr view), existing comments (via get_pr_comments.sh), and the codebase itself during the review process.
Boundary markers: The instructions do not define explicit delimiters to isolate PR content from the agent's instructions.
Capability inventory: The skill can modify the local filesystem (editing files during local reviews) and post comments to GitHub (via submit_pr_review.sh or MCP tools).
Sanitization: No explicit sanitization of the ingested PR content is performed before processing.
Mitigation: A critical safety rule requires explicit, written user confirmation before any content is posted to a PR, protecting against unauthorized actions triggered by malicious PR data.
[SAFE]: All included bash scripts use the GitHub CLI (gh) and jq for legitimate PR management tasks. No evidence of obfuscation, credential theft, or unauthorized network activity was found.

PR Review