The Agent Skills Directory

[PROMPT_INJECTION]: The skill implements a feature where it automatically loads and follows guidelines from a file located within the Pull Request branch being reviewed (.agents/skills/custom-codereview-guide.md). This creates a surface for Indirect Prompt Injection, where an untrusted contributor could include malicious instructions in that file to override the agent's persona, suppress security warnings, or bypass the risk evaluation framework for that specific review session.
Ingestion points: .agents/skills/custom-codereview-guide.md and the PR code changes.
Boundary markers: The instructions require a specific YAML frontmatter triggers: [/codereview], but do not specify clear delimiters to prevent the content of the guide from escaping its intended context.
Capability inventory: The skill possesses capabilities for file system access, shell command execution, and network operations (via gh, npm, pip).
Sanitization: There is no mention of sanitizing or validating the contents of the custom guide file before it is incorporated into the agent's context.
[COMMAND_EXECUTION]: The supply chain security documentation (references/supply-chain-security.md) provides the agent with specific shell commands to execute for dependency verification. These include gh release view, npm view, pip index versions, npm pack, git clone, and diff -r. While these are used for security auditing, the agent is instructed to run them based on package names and repository URLs found in the code changes, which could lead to command injection if the underlying tools or the agent's interpretation of inputs are manipulated.
[EXTERNAL_DOWNLOADS]: The skill's verification process involves downloading external artifacts from public registries (PyPI, npm) and cloning source code from external Git repositories to perform security diffs. These operations are intended for auditing but involve interacting with external network resources during the review process.

code-review