The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection (Category 8) because it processes untrusted data from external sources to define the parameters of its code review.
Ingestion points: The skill reads content from GitHub PR titles and bodies, Linear tickets, and repository files like spec.md or design docs (documented in SKILL.md under Step 2.2).
Boundary markers: Absent. There are no instructions to the agent to treat ingested data as untrusted or to ignore embedded instructions within those sources.
Capability inventory: The agent is granted shell access to run git and gh CLI commands. Crucially, the skill explicitly instructs the user/orchestrator to launch subagents without readonly restrictions to allow them to write artifacts to disk.
Sanitization: None. The skill does not describe any filtering or sanitization of the data ingested from PRs or tickets.
[COMMAND_EXECUTION]: The skill uses standard developer tools, specifically the git and gh (GitHub) CLI, to analyze the repository state and fetch PR metadata. While these are legitimate tools, they represent a surface area for command-line interaction with the host system.
[DATA_EXPOSURE]: The skill is designed to read and process PR metadata and project management data (Linear). This involves accessing potentially sensitive project information, though it is used within the scope of the intended code review functionality.

drive-code-review