The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill's workflow automatically executes the dev script from a project's package.json using pnpm, npm, yarn, or bun after checking out a Pull Request branch. Because the verification happens at runtime on the PR code, a malicious contributor can embed arbitrary commands in the scripts section or the application's boot logic, leading to full code execution on the system running the agent.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by processing untrusted data from GitHub.
Ingestion points: Pull Request descriptions, titles, and linked Issue bodies via gh pr view and closingIssuesReferences.
Boundary markers: Absent. The agent is instructed to directly derive acceptance criteria and user actions from these external text sources without delimiters or instructions to ignore embedded commands.
Capability inventory: Includes shell command execution (npm run dev), GitHub PR modification (gh pr comment, gh pr edit), and browser automation (Chrome DevTools MCP).
Sanitization: Absent. There is no evidence of filtering or validation for the content retrieved from GitHub before it influences the agent's task list.
[EXTERNAL_DOWNLOADS]: The use of package managers (npm, pnpm, yarn) to boot the server often triggers lifecycle scripts and potentially downloads/installs dependencies if the environment is not pre-configured, which can be exploited via dependency confusion or malicious PR updates to dependency files.
[COMMAND_EXECUTION]: The skill heavily relies on shell commands (gh, pnpm, etc.) where variables like PR numbers and issue content are interpolated. If the underlying platform does not provide strict argument sanitization, this could lead to command injection.

pr-verify