The Agent Skills Directory

[COMMAND_EXECUTION]: The review workflow in references/review-workflow.md and references/performance-review.md encourages the agent to run project-specific commands such as npm test, pytest, go test, and npm run build. This involves executing code from the pull request being reviewed, which is an untrusted source. While necessary for verifying the PR's impact, this poses a risk if the PR contains malicious build/test scripts.
[INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process data from pull request bodies, linked issues, commit messages, and the code diff itself as detailed in references/review-workflow.md. This content is attacker-controllable and could contain instructions designed to manipulate the agent's behavior during the review process.
Ingestion points: gh pr view, gh issue view, and gh pr diff commands used in Phase 1 and Phase 4.
Boundary markers: The instructions do not explicitly mandate the use of XML tags or other delimiters to isolate untrusted PR content from the agent's system instructions.
Capability inventory: The agent can execute gh and git commands, run local shell commands (test/build), and post comments back to GitHub.
Sanitization: No specific sanitization or filtering of input from PR content is described in the workflow.
[DATA_EXFILTRATION]: The skill has the capability to read local file contents and PR metadata and then post this information back to GitHub via gh pr comment or gh pr review. While this is the intended functionality, it could be abused if an indirect injection instructs the agent to leak sensitive local files (e.g., .env, .ssh) into a PR comment.

review-pr