The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill's primary methodology involves downloading and executing untrusted code from Pull Requests. In 'Phase 2: Set Up the Environment' and 'Phase 3: Exercise the Changed Behavior', the agent is instructed to run installation commands (e.g., npm install, pip install, cargo build) and execute the resulting software (CLI tools, servers, or browser-based apps). This allows for arbitrary code execution if a PR contains malicious logic or modified configuration files (like package.json scripts).
[COMMAND_EXECUTION]: The agent is directed to run a wide range of shell commands derived from the target repository's documentation and the PR itself. This includes bootstrap commands from README.md or AGENTS.md, and functional tests like starting servers or making curl requests. The instructions encourage real execution over dry-runs, increasing the risk of executing dangerous system commands embedded in a malicious PR.
[PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because its logic is driven by untrusted external data. The agent is instructed to 'Understand the Change' by reading the PR title, description, and linked issues, and then to 'form a clear hypothesis' that guides its subsequent command execution. An attacker could embed malicious instructions within these fields to hijack the agent's behavior.
Ingestion points: PR diffs, PR titles, PR descriptions, linked issues, and repository-level configuration files (SKILL.md, README.md, etc.).
Boundary markers: Absent. The instructions do not specify any delimiters or safety warnings to distinguish between trusted instructions and untrusted data from the PR.
Capability inventory: Dependency managers (npm, pip, uv, cargo), shell execution, network requests (curl, httpie), and browser automation (Playwright).
Sanitization: Absent. There is no requirement for the agent to sanitize or validate the content of the PR before acting upon it.

qa-changes