The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes arbitrary shell commands defined in a CLAUDE.md file during Phase 1 ('Automated Checks').- [PROMPT_INJECTION]: The skill is vulnerable to configuration poisoning because it switches to the Pull Request branch using gh pr checkout <number> before reading the validation commands from the local CLAUDE.md file. An attacker can submit a PR containing a modified CLAUDE.md with malicious commands (e.g., data exfiltration or system modification). Since the skill is instructed to 'Run the project's lint + type-check command' found in that file, it will execute the attacker's payload.
Ingestion points: PR diffs, descriptions, and the file system content of the checked-out PR branch (SKILL.md).
Boundary markers: The skill uses <pr-content> tags to wrap diffs and descriptions when passing them to sub-agents (SKILL.md).
Capability inventory: File system access, gh CLI access, and arbitrary shell command execution via Phase 1.
Sanitization: None. The skill relies on the LLM to follow instructions to ignore content within markers, but the automated check phase explicitly executes commands derived from untrusted project files.- [PROMPT_INJECTION]: The skill processes untrusted content from GitHub PRs. While it uses boundary markers to attempt to isolate this data, the agent's extensive capabilities (shell access, repository modification) create a high-risk surface for indirect prompt injection if the agent is persuaded to deviate from its instructions.

review-github-pr