The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill's primary function is to bootstrap environments and execute software from pull requests to perform functional QA. This involves running package managers (e.g., npm install, pip install, uv sync), build tools (make, cargo build), and the application itself. While necessary for the skill's purpose, this behavior executes untrusted code from the PR being analyzed.
[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by design. It ingests data from untrusted sources (PR descriptions, README.md, Makefile, and package.json files within a PR) and uses that data to determine which commands to execute. There are no boundary markers or instructions to ignore embedded commands within the processed files.
Ingestion points: PR title, description, diffs, and repository metadata files (README.md, Makefile, etc.) referenced in Phase 1 and 2 of SKILL.md.
Boundary markers: None identified; the agent is instructed to "Read the repo's bootstrap instructions" and follow them directly.
Capability inventory: The skill has broad capabilities including file system access, dependency installation, command execution, and making network requests (Phase 2 and 3 of SKILL.md).
Sanitization: No sanitization or validation of the ingested instructions is described.
[COMMAND_EXECUTION]: The skill explicitly instructs the agent to "Run the actual application, CLI, or server" and "Make real HTTP requests, run real commands." This provides a high-privilege execution environment for any malicious code contained within a pull request.

qa-changes