The Agent Skills Directory

[COMMAND_EXECUTION]: The URL parsing logic in SKILL.md is vulnerable to shell injection. The skill extracts repo_ref and mr_id from user-provided GitLab URLs by stripping specific prefixes and suffixes, then interpolates these strings directly into glab commands executed via the shell tool. An attacker could provide a URL containing shell metacharacters (e.g., ;, &&, |) to execute arbitrary commands.\n- [REMOTE_CODE_EXECUTION]: The command injection vulnerability in the URL processing workflow allows for remote code execution. By crafting a malicious URL, a user or external actor (if the URL is sourced from untrusted data) can gain unauthorized shell access to the agent's environment.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from external GitLab merge requests.\n
Ingestion points: The skill fetches MR metadata, diffs, and comments using glab mr view, glab mr diff, and glab mr note list as described in SKILL.md.\n
Boundary markers: While it uses markdown headers (e.g., ## Diff, ## Existing MR Comments) to structure the subagent query, it lacks explicit instructions or technical boundaries to prevent the subagents from obeying instructions embedded within the diff or comments.\n
Capability inventory: The skill possesses significant capabilities, including shell access, file reading, and the ability to invoke subagents for code review and implementation.\n
Sanitization: There is no evidence of sanitization or escaping of the fetched GitLab content before it is passed to the parallel review subagents.

gitlab-kiro