The Agent Skills Directory

[INDIRECT_PROMPT_INJECTION]: The skill is designed to process untrusted data from GitHub pull requests, including code diffs, branch names, and community comments. This creates a surface for indirect prompt injection, where an attacker might attempt to influence the agent's behavior by embedding instructions in the code or PR conversation.
Ingestion points: Untrusted data enters the context via gh pr diff and gh api calls for reviews and comments, as well as linked issue content (detailed in SKILL.md and references/review-workflow.md).
Boundary markers: While the skill follows a rigid workflow to analyze findings, it does not explicitly instruct the agent to treat diff contents as potentially adversarial or to use specific delimiters when processing it.
Capability inventory: The skill possesses write capabilities, such as posting comments and submitting formal reviews to GitHub using the gh CLI (documented in references/gh-cli-reference.md).
Sanitization: The instructions do not specify sanitization or escaping of external content before interpolation into the agent's reasoning process.

review-pr