The Agent Skills Directory

[PROMPT_INJECTION]: The skill retrieves untrusted content from GitHub pull requests and issues and includes it in a sub-agent's prompt without sanitization. Ingestion points: In Phase 1 and 2 of SKILL.md, the skill fetches PR_TITLE, PR_BODY, and TICKET_CONTENT using the GitHub CLI. This data is controlled by external PR authors. Boundary markers: The skill uses XML-style tags (e.g., <ticket_context>, ) to delineate untrusted data. These markers provide a basic level of protection but are not robust against determined prompt injection attacks. Capability inventory: The skill can execute write operations on the repository, specifically posting review comments and status updates via gh api in Phase 5. Sanitization: No explicit sanitization or validation of the fetched GitHub content is performed before interpolation into the prompt.
[COMMAND_EXECUTION]: The skill dynamically constructs a JSON payload for the GitHub API using output derived from untrusted PR data. Evidence: In Phase 5, the skill creates a temporary file /tmp/pr-review.json containing the review summary and status. This file is then used as input for the gh api command. Risk: While the skill uses a shell heredoc which limits expansion, the process relies on the sub-agent correctly formatting output that originated from untrusted sources. This creates a potential path for data manipulation or action spoofing if the sub-agent is compromised via prompt injection.

review-pr