The Agent Skills Directory

[PROMPT_INJECTION]: The skill contains instructions that explicitly direct the agent to bypass its default safety and quality guidelines. It mandates that the agent "always approve" specific PRs and to "Skip the full code review analysis (data structures, complexity, pragmatism, etc.)", overriding the agent's core instruction to be a critical reviewer.
[COMMAND_EXECUTION]: The skill instructs the agent to execute administrative shell commands using the GitHub CLI (gh api) to submit code approvals. This grants the agent the capability to perform state-changing operations on the repository based on the logic provided in the skill.
[PROMPT_INJECTION]: The skill establishes a significant surface for indirect prompt injection by requiring the agent to perform actions based on untrusted external data.
Ingestion points: The agent evaluates untrusted data from GitHub pull requests, specifically PR titles, branch names, and file diffs (SKILL.md).
Boundary markers: There are no instructions for the agent to use boundary markers or to ignore potential instructions embedded within the processed PR data.
Capability inventory: The agent is given the capability to execute gh api commands to approve pull requests in the repository.
Sanitization: The instructions do not require validation of the PR content beyond checking for keywords in the title and specific filenames, which could allow an attacker to bypass review by spoofing PR metadata while including malicious code changes.

custom-codereview-guide