The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted pull request content (titles, descriptions, and comments) within an agent environment that has access to sensitive tools and credentials.
Ingestion points: In scripts/main.py, the _build_review_prompt function interpolates the PR title and description directly into the prompt. Furthermore, the agent is instructed to use gh pr view to inspect the PR's discussion and comments, which are attacker-controllable.
Boundary markers: The PR description is enclosed in triple-dash (---) delimiters, which offer a weak structural separation but are not sufficient to prevent a model from following malicious instructions embedded in the description.
Capability inventory: The reviewer agent is equipped with the terminal and file_editor tools and is granted access to the GITHUB_PERSONAL_ACCESS_TOKEN via the secrets payload in the create_conversation call. A successful indirect injection could lead to arbitrary command execution or token exfiltration.
Sanitization: The script does not perform sanitization, filtering, or validation on the PR content or comments before they are presented to the LLM.
[COMMAND_EXECUTION]: The skill's setup process involves the agent generating and writing a Python script (main.py) to the filesystem based on user input. While the instructions recommend using json.dumps() for safety, this pattern relies on the setup agent's adherence to instructions to prevent code injection during the customization phase.

github-pr-reviewer