The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted data from public GitHub issues without sufficient sanitization or boundary markers.
Ingestion points: Step 2.1 reads the body of GitHub issues via the gh api tool.
Boundary markers: There are no delimiters or instructions to treat the issue content strictly as data, making the agent vulnerable to instructions embedded in the '误报原因' (false positive reason) or '误报原文' (original report) fields.
Capability inventory: The agent possesses powerful capabilities including the ability to Edit and Write repository files (including rule definitions and its own configuration), perform git commit and git push operations, and create pull requests.
Sanitization: No validation is performed on the extracted content before it is used to analyze and modify the repository's security rules.
[COMMAND_EXECUTION]: The skill uses variables derived from untrusted issue content in shell commands, creating a risk of command injection or path traversal.
Evidence: In Step 2.4, variables such as {REPO} and {PR_NUM} are used in the command rm -rf /tmp/vibe-review-{REPO}-{PR_NUM}. While the platform restricts this to the /tmp/vibe-review-* pattern, carefully crafted inputs containing path traversal sequences (e.g., ../) could attempt to target other directories.
[SAFE]: The skill utilizes dynamic context injection (!) for environment discovery, which is a legitimate and benign use case for identifying the current repository and directory.
Evidence: Use of !git remote -v and !pwd in the '当前环境' section to establish context at load time.

fix-false-positive